Point of Sale (POS) Cybersecurity Vulnerabilities
WHY THIS MATTERS
Cyber risk on Point of Sale (PoS) systems remains for retailers of all sizes despite the increase in online retail shopping by consumers.
The majority of payment card crime has moved to online retail with online payment fraud expected to exceed $25 billion over the next four years.
PoS security monitoring should alert IT personnel when there is a cyber threat or a data breach, but your business may experience costly down time, requiring expeditious support from an Incident Response Team.
Stand-alone Cyber Insurance provides you with the support you need from an Incident Response Team as well as coverage for network business interruption and regulatory investigations and fines under the Payment Card Industry Data Security Standard (PCI DSS).
The Evolution of PoS Systems
The evolution of PoS systems has gone from a tool to record sales transactions to a robust platform that can integrate your marketing, inventory, accounting, and data analytics. Furthermore, legacy PoS is being replaced by cloud-based PoS.
Cloud-based PoS is one of the leading PoS technology trends today. Forbes reported that 61% of merchantsare considering cloud-based PoS for their business.
Additionally, it is predicted that there will be a 50% increase in cloud-based POS adoption before the end of 2021. Merchants looking for simplicity, flexibility, and functionality are moving to the cloud-based PoS.
Retail is growing and evolving daily, especially when it comes to PoS trends, including:
- Bluetooth – no Wi-Fi needed
- Mobile PoS – replaces a cash register or a card reader in a transaction
- On-Demand Purchasing – consumers can buy their food or goods in advance online, then pick them up in the store, or curbside during the COVID-19 pandemic.
- Cloud-based PoS – consumer data is stored with access from anywhere and updating all systems simultaneously
- Mobile Wallets – consumer credit cards, payment information, loyalty programs, and coupons are stored for mobile phone or smartphone payments.
A recent report discussed why digital innovation is quickly disrupting the PoS market, including:
- Speed from fast processors
- Multiple payment options
- Customized customer experiences from the use of customer data
- Functionality with a constant, reliable Internet connection for your PoS
- Cloud-based PoS systems can get updates over the air, lower IT maintenance costs, and improve functionality via integration with other systems in the business.
In August 2019, Hy-Vee, a Des Moines, Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwest, had payment card data stolen from 5.3 million accounts compromised gas pumps, coffee shops, and restaurants.
Krebs on Security reported that the accounts are being sold under the code name “Solar Energy” at “Joker’s Stash carding bazaar,” a website where stolen credit and debit card data is resold.
Hy-Vee reported that it used security technology with point-to-point encryption to defeat card-skimming malware at its stores. Nevertheless, the card account records sold by Joker’s Stash, known as “dumps,” are being sold for prices ranging from $17 to $35 apiece.
Unfortunately, the Hy-Vee breach is following a trend, which began with the Target breach of 2013. Since then, there have been a variety of POS attacks, including fuel pump skimmers. Of course, there are the big-name enterprise attacks and the government breaches. Now hackers are turning their attention towards smaller targets.
As noted in Krebs On Security, organized cyber thieves involved in stealing card data from main street merchants have gradually moved down the food chain from big-box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).
PoS Cyber Risk Statistics
PoS cybersecurity measures have not evolved at the same rapid pace as PoS technology. According to the recent Verizon Data Breach Investigation Report, PoS cyber risks include the hacking and remote intrusions into PoS servers and PoS terminal environments for the purpose of stealing payment cards.
Much like Payment Card Skimmers, this pattern has received a notable decrease in the last few years, making up only 0.8% of total data breaches this year. Most of these incidents include the use of RAM scrapers, which allow the adversaries to scrape the payment cards directly from the memory of the servers and endpoints that run our payment systems.
However, the majority of payment card crime has moved to online retail.
Online Retailers’ Cyber Risks
Chip card EMV technology has helped to reduce fraud at the PoS, so criminals have shifted their focus to online transactions.
Juniper Research expects online payment fraud to exceed $25 billion, with a 52% growth rate over the next four years.
The Value of Payment Card Data
Payment Card Information (PCI) has a high monetary value, according to a recent report by Symantec. Dark net ads range from $12 for administrative access to one PoS machine to $60,000 for access to an extensive corporate network containing thousands of PoS servers and terminals. PCI retails for $1 to $175 per card.
On the dark web, the demand for card-not-present data stolen in attacks against online retailers has pushed up prices for this data sector, which fuels the increase in online breaches.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a set of data protection mandates (not laws) developed by the major payment card companies and imposed on businesses that store, process, or transmit payment card data. As part of their contracts with the card companies, merchants, and other businesses that handle card data may be subject to fines if they fail to comply.
The PCI DSS consists of twelve requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Incident Response Plan
Merchants need to have an Incident Response Plan (IRP). In some cases, a Payment Card Forensic Investigator (PFI) will need to be engaged to implement the IRP (approved list provided on the PCI SSCwebsite).
Be prepared to respond immediately to a system breach, which could force your network to shut down, by conducting proper testing exercises at least annually to ensure the process works as designed and to mitigate any missed steps to limit exposure.
If a merchant experiences a breach because of PCI DSS non-compliance, the payment card brands may impose penalties on the merchant’s acquiring (aka merchant) bank. The merchant’s acquiring bank typically passes the cost of the penalty to the merchant. The penalty costs between $5,000 to $500,000 per month. If breaches continuously occur, card brands can revoke a merchant’s right to process transactions with their cards.
Downward Trend in Compliance
According to the 2019 Payment Security Report by Verizon, 15 years after the launch of the PCI DSS, their assessments highlight that just over a third (36.7%) of organizations were actively maintaining PCS DSS programs in 2018. Currently, there is a downward trend, which is a major cause for concern.
Failure to comply with the PCI DSS can negatively impact a company’s reputation and have significant legal repercussions. Complying with the PCI DSS remains paramount in avoiding potential breaches or cyberattacks. Follow compliance best practices to ensure PCI DSS compliance and minimize liabilities.
Reduce PoS Cyber Vulnerabilities
Merchants can take smart steps to improve cybersecurity:
1. EMV chip card payment processing
EMV chip cards come with extra security features. Namely, the account information stored on cards is encrypted uniquely each time it is accessed. This makes it more difficult for fraudsters to strip useful pieces of information. When a business does not have an EMV-compliant PoS, they are automatically liable for any fraudulent transactions if they accept payment from an EMV chip card.
2. Update software regularly
An outdated computer is more prone to crashes, security holes, and cyberattacks than one that has been fully patched. Hackers seek out security vulnerabilities.
3. Secure your wireless networks
Unsecured wireless networks are like a beacon for hackers. A vulnerable Wi-Fi hot spot is equivalent to leaving your front door open for cyber criminals to gain access to the machines on your network.
4. Backup and encrypt your data regularly
Cloud storage moves your sensitive information off site, so in the event of a disaster, everything is still safe. Many cloud storage features have a setting that will automatically update and encrypt your data on a set schedule. Encrypting your data with a password can add another layer of security to your customers’ sensitive information.
5. Update strong, unique passwords regularly
You may want to consider two-factor authentication (2FA). With 2FA, a user needs two pieces of personal information to access an account, rather than merely a username and password.
Rely on a strong password strategy to keep your data safe. Require your team to create unique passwords that include a combination of uppercase and lowercase letters, symbols, and numbers. Have a schedule in place for changing passwords regularly—at least once a month. Keep it unpredictable to discourage attackers from trying to penetrate your system.
6. Antivirus and antimalware software
Antivirus software may be your last line of defense for your network. Antivirus and antimalware software provide protection from targeted attacks, for example, if an employee opens a link in a phishing email.
Amid the financial challenges faced by retailers looms residual cyber risk. If potential cyber losses are not mitigated with defensive measures against hacking of credit card data, then industry players of all sizes need to consider transferring some of that residual cyber risk to an affirmative cyber insurance policy.
Stand-Alone Cyber Insurance
The best option is a robust stand-alone cyber insurance policy that provides Merchants with coverage for regulatory investigation, PCI DSS fines and penalties, and cyber-related business interruption if a malware attack on the PoS system forces a shut down.
Also, you need not go it alone. Your cyber insurance carrier will assist you in developing your Incident Response Plan and provide you with a panel of specialists to choose from for your Incident Response Team – before you face a cyber incident.
Merchants with an Incident Response Team at the ready are poised to prevent or decrease any network down time or further exfiltration of PCI.
- When it comes to malware attacks on Point of Sale (PoS) systems, small business owners are just as vulnerable as large companies.
- Merchants can avoid the financial impact of non-compliance with PCI DSS standards through cyber risk management.
- Merchants need to have an Incident Response Plan (IRP) to move quickly to avoid a network shut down or further exfiltration of PCI.
- An essential solution to PoS cyber threats is transferring some of the residual cyber risks to a stand-alone cyber insurance policy tailored to a merchant’s risk tolerance level.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request and robust cyber solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.
Contact Cyber Armada today to examine how your company faces potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our article on Island Hopping.