Are You Positive Your PoS is Secure?

As we have recently seen in the news, Point-of-Sale (PoS) systems become a prime target for hackers. While debit and credit card transactions have increase exponentially every year, security of PoS devices is just catching up. In light of these breaches and in conjunction with my current blog series on PCI Requirement 1, here are a few tips to help you secure your PoS systems and comply with PCI.

• Review PoS Logs Frequently (system, security, and application log files). Obviously you need to look for breach attempts, but also look for anomalies in terms of who is logging onto the system and when (such as after hours), unusual transactions, excessive voids. If anomalies are detected in the logs, set up real-time alerts on these activities to help track and pinpoint the breach. And remember to store logs files for at least a year, ideally on an offsite storage system.

• Lock Down Remote Access. There are times when an administrator needs to remotely access a PoS for system maintenance and troubleshooting. While remote access tools are very useful for your operations teams, they are even more useful for hackers. Make sure you use VPN tunnels or another type of dedicated connection to ensure secure access to PoS terminals. If you must use an external connection to a PoS make sure to utilize a two factor authentication.

• Harden Your Systems. Clearly locking down each PoS system is extremely important. Ideally create a golden image of the PoS device and make sure that all PoS systems use this image in production. Additionally, make sure they are audited regularly throughout the year. Here are a few things you must  lock down:
  • If systems are stationary, remove all wireless capability
  • Remove all unnecessary executables (cmd.exe, notepade.exe, etc.)
  • Rename admin accounts
  • Make sure the systems are running malware scans (both full and as new files are added to the system)
  • Set the system to receive patches, OS, third party and application level, as soon as they are released
  • Set the system to log as much information as possible
  • Include file integrity monitoring
  • Don’t allow any removable media to be entered into the system (USB, CD, DVD)
  • Verify that web filtering is enabled on the PoS if it has internet access
  • Disable all browsers from running, if possible
  • Allow only administrator accounts to make changes to the application/OS

• Scan for Credit Cards Details. Many PoS systems can store a small database, and you’d be surprised at how many of them actually store credit card numbers in clear text (in violation of PCI). Also, if you have employees that are trying to steal credit card numbers from a PoS they may be saving files on the PoS itself (if it’s Windows based). Make sure to scan for credit card numbers stored in clear text on the PoS. And if you find card numbers stored on the PoS something is definitely out of line; Start reviewing the log files to see if foul play is involved.

• Monitor File Integrity. Install a file integrity monitoring agent on the PoS systems that allows only approved whitelisted executables, and detects changes. This is an important part of monitoring and protecting your PoS and could be your last line of defense against malware.

• Use Systems that Don’t Capture Credit Card Details. There are PoS systems that attach directly to the payment gateway which don’t capture credit card numbers, only transaction totals. This is a good way to keep the risk down to a minimum. The less information you store in your system, the better.

• Physical security. Don’t forget physical theft. Make sure that all PoS systems are properly secured to registers, desks, etc. so that they can’t easily be physically removed from the premise. If a PoS is stolen, at least be certain that no card holder data is stored on it.

Attackers are looking for any open door to your company. Make sure your PoS systems are tightly secured.