Does the following thought process sound familiar? The faster I can install this new point of sale (POS) system for this merchant, the better. With POS systems, faster isnt always better.
On occasion, POS systems arent properly configured right out of the box, which can lead to devastating malware being uploaded onto the merchant system. In other cases, the POS device itself may be missing crucial security patches.
The bottom line is, you cant just plug a POS system in a merchant environment without taking certain precautions. So how do you compensate for a not-so-secure POS system before you install it in a cardholder data environment? Whether you are installing POS systems for your merchants, or simply advising them on good security practices, here are important topics to consider.
POS systems and their security age pretty quickly. Every second that passes after a released update isnt installed, the system falls further and further from security and compliance.
Chances are if a merchant is running an old POS system in their environment, its riddled with vulnerabilities. Maybe they missed a few security patches along the way. Or maybe its no longer supported by the manufacturer.
Even if you installed a new POS system for your merchants every week (a ridiculous idea, I know), their security wouldnt be foolproof. Technology increases so rapidly that by the time you unwrapped the system and plugged it in, a new update may be waiting to be installed.
Thats why updates are so important to maintaining point-of-sale security. I recommend going to the POS manufacturer website to discover the most recent patches and updates for the device right before you install it. Who knows what new security updates may have been pushed?
Secure POS systems can become immediately infected if placed in an insecure merchant environment. Thats why you should ensure the merchants payment processing environment is tested for vulnerabilities immediately prior to and after POS installation.
The best way to test for system weakness is through a vulnerability scan offered by an Approved Scanning Vendor (ASV), but its not enough just to scan and find problems. The problems must be fixed. Ensure the merchant remediates their vulnerabilities before POS installation.
Avoid the install now and scan later mentality. Many vendors, installers, and merchants fall into the trap of assuming the most recent vulnerability scan covers any problems even if it was conducted weeks before.
The problem with this assumption is that hackers constantly scan the Internet for holes. As soon as they find holes, they exploit them. Not patching holes immediately before installation could mean the security of that shiny new POS system was doomed from the beginning.
Making sure the merchant resolves any issues they find in their vulnerability scan immediately prior to installing any new technology will save them a lot of heartache in the long run. It may even save them from a crippling data breach.
Many merchants believe security is being taken care of by someone else (whether its their IT guy or their processor) and thereby means its not their problem. They may even think their agent or POS installer takes liability if something goes wrong. As you well know, this is completely false.
It is always the merchants responsibility to make sure a POS system is secure, fully patched, and void of known vulnerabilities. That means its also the merchants responsibility to pay for any breaches that result from an insecure POS system.
If you need help with POS configuration, vulnerability scanning or security patch installation, contact the POS manufacturer or your PCI partner who will be happy to help you secure your merchants POS environment.
Matt Brown is a Director of Business Development at SecurityMetrics.
