Advertisement

Three Tips On How To Secure Your POS Against Breaches

0aaVlad Branin ZoozSecurity breaches have become a serious bane for retailers of all sizes worldwide. Cyberattacks come in many forms, from skimming data on a magnetic stripe to hacking at the vendor’s point of sale (POS). The 2013 Target hack, which cost the retailer more than $250 million, was enough of an incentive to give PCI security implementation a major push throughout the U.S.

Since the shift of liability in October 2015, many large U.S. merchants have begun adopting EMV as a way to boost security in card-present transactions. Nevertheless, attackers are constantly working on more sophisticated ways to lay their hands on vital credit card data at various stages of the payment process.

One of the most vulnerable components of the payment system is the POS. Thankfully, there are several existing technologies that can boost security at the payment point.

Advertisement

Tips For Augmenting POS Security

Be aware of ZVT and Poseidon vulnerabilities:

Several months ago, Berlin’s Security Research Labs demonstrated “shop-shifting” attacks that take advantage of the lack of authentication factors in two communication protocols used by card readers (ZVT and Poseidon). This vulnerability could enable hackers to perform man-in-the-middle (MitM) attacks through a merchant’s network, via WiFi or Ethernet connection.

The ZVT protocol is applied between the card reader and the POS, so vulnerabilities here enable hackers to harvest card data including personal identification numbers (PIN) while remaining undetected. The Poseidon protocol is used between the card reader and the merchant’s bank, conceivably enabling hackers to reprogram the payment processors to transfer funds into the attackers’ accounts — or even process false transactions by re-configuring their own card reader to act as if it belongs to the retailer. The fact that these vulnerabilities are programmed into the system makes them harder to mitigate.

Germany’s Federal Association of Electronic Cash Processors (BECN) has recommended that payment terminal manufacturers promote software updates with new safety measures in order prevent these types of attacks.  Merchants’ awareness is of crucial importance, because it is their responsibility to ensure that their processors are using payment terminals that meet the latest PCI standards.

Replace old payment terminals:

Some retailers that work with terminal networks fail to update their technologies on a regular basis. In fact, in certain countries, terminal networks have remained unchanged for decades, leaving systems open to the threat of ever-evolving malware. In some cases, large retailers work with an external payment processor and are not even aware that their systems are outdated.

Regardless of whether the retailer operates its own POS terminal networks or relies on a third-party provider, the result of a security breach can be disastrous. Here again, merchants must be vigilant and ensure that their providers’ payment systems are updated regularly.

Use Point-to-Point Encryption (P2PE):

P2PE is a PCI-certified card reading device situated at the merchant location or POS that converts confidential credit card data into indecipherable code to prevent hacking and fraud. Once the encrypted code is placed within the secure data zone of the payment processor, it is decrypted to the original card number and passed on to the bank for authorization. 

U.S. retailers taking part in the ongoing EMV incorporation process are now obligated by credit card schemes to support P2PE as a key security measure capable of preventing POS intrusions. But retailers who have not made the transition to EMV are now even more vulnerable than before — and even those who have must be sure to keep up-to-date when upgraded versions of EMV and PCI standards are announced.

Don’t Wait Until It’s Too Late

While some large retailers may be able to afford millions of dollars in damages, most can’t. A serious security breach may cause irreparable damage to your business. So rather than wait until it’s too late, adopt the latest security measures to protect your POS against hackers.

But keep in mind that fraudsters are constantly refining their attacks, and don’t let your guard down. Keeping abreast of current POS security measures may constitute the difference between a prosperous enterprise and a defunct one.


 

Vlad Branin serves as VP, Professional Services for payments tech developer Zooz.  He has more than 16 years of practical experience in project/product and pre-/post-sale management, and extensive expertise in payments, including e-Commerce, eWallets, APM, EMV and NFC technology.  Before joining Zooz in 2014, he held managerial roles with Credorax and Leumi Card.

Security breaches have become a serious bane for retailers of all sizes worldwide. Cyberattacks come in many forms, from skimming data on a magnetic stripe to hacking at the vendor’s point of sale (POS). The 2013 Target hack, which cost the retailer more than $250 million, was enough of an incentive to give PCI security implementation a major push throughout the U.S.

 

Since the shift of liability in October 2015, many large U.S. merchants have begun adopting EMV as a way to boost security in card-present transactions. Nevertheless, attackers are constantly working on more sophisticated ways to lay their hands on vital credit card data at various stages of the payment process.

 

One of the most vulnerable components of the payment system is the POS. Thankfully, there are several existing technologies that can boost security at the payment point.

 

Tips For Augmenting POS Security

 

Be aware of ZVT and Poseidon vulnerabilities:

Several months ago, Berlin’s Security Research Labs demonstrated “shop-shifting” attacks that take advantage of the lack of authentication factors in two communication protocols used by card readers (ZVT and Poseidon). This vulnerability could enable hackers to perform man-in-the-middle (MitM) attacks through a merchant’s network, via WiFi or Ethernet connection.

 

The ZVT protocol is applied between the card reader and the POS, so vulnerabilities here enable hackers to harvest card data including personal identification numbers (PIN) while remaining undetected. The Poseidon protocol is used between the card reader and the merchant’s bank, conceivably enabling hackers to reprogram the payment processors to transfer funds into the attackers’ accounts — or even process false transactions by re-configuring their own card reader to act as if it belongs to the retailer. The fact that these vulnerabilities are programmed into the system makes them harder to mitigate.

 

Germany’s Federal Association of Electronic Cash Processors (BECN) has recommended that payment terminal manufacturers promote software updates with new safety measures in order prevent these types of attacks.  Merchants’ awareness is of crucial importance, because it is their responsibility to ensure that their processors are using payment terminals that meet the latest PCI standards.

 

Replace old payment terminals:

Some retailers that work with terminal networks fail to update their technologies on a regular basis. In fact, in certain countries, terminal networks have remained unchanged for decades, leaving systems open to the threat of ever-evolving malware. In some cases, large retailers work with an external payment processor and are not even aware that their systems are outdated.

 

Regardless of whether the retailer operates its own POS terminal networks or relies on a third-party provider, the result of a security breach can be disastrous. Here again, merchants must be vigilant and ensure that their providers’ payment systems are updated regularly.

 

Use Point-to-Point Encryption (P2PE):

P2PE is a PCI-certified card reading device situated at the merchant location or POS that converts confidential credit card data into indecipherable code to prevent hacking and fraud. Once the encrypted code is placed within the secure data zone of the payment processor, it is decrypted to the original card number and passed on to the bank for authorization. 

 

U.S. retailers taking part in the ongoing EMV incorporation process are now obligated by credit card schemes to support P2PE as a key security measure capable of preventing POS intrusions. But retailers who have not made the transition to EMV are now even more vulnerable than before — and even those who have must be sure to keep up-to-date when upgraded versions of EMV and PCI standards are announced.

 

Don’t Wait Until It’s Too Late

 

While some large retailers may be able to afford millions of dollars in damages, most can’t. A serious security breach may cause irreparable damage to your business. So rather than wait until it’s too late, adopt the latest security measures to protect your POS against hackers.

 

But keep in mind that fraudsters are constantly refining their attacks, and don’t let your guard down. Keeping abreast of current POS security measures may constitute the difference between a prosperous enterprise and a defunct one.  

 

Vlad Branin serves as VP, Professional Services for payments tech developer Zooz.  He has more than 16 years of practical experience in project/product and pre-/post-sale management, and extensive expertise in payments, including e-Commerce, eWallets, APM, EMV and NFC technology.  Before joining Zooz in 2014, he held managerial roles with Credorax and Leumi Card.

 

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.

Advertisement

Access The Media Kit

Interests:

Access Our Editorial Calendar




If you are downloading this on behalf of a client, please provide the company name and website information below: