Protecting your point-of-sale devices from malware
Does your cash register have a virus?
It’s not a farfetched question in the wake of a government warning on malware that has been found in point-of-sale (PoS) devices at more than 1,000 businesses.The Backoff bug
This newly disclosed threat, known as Backoff, is capable of recording keystrokes and syphoning off information from a business’s transaction terminals. Compromised PoS systems can result in businesses and their customers losing data such as names, mailing addresses, credit or debit card numbers, phone numbers, and e-mail addresses.
This latest news is another reminder of the importance of sound security procedures. All businesses should have a program for installing security updates and antivirus controls, firewalling, and managing strong passwords on PoS terminals and on systems involved in credit card transactions.
New risks around debit and credit card transactions seem to pop up weekly. The shift to EMV (Europay, Mastercard, and Visa) chip cards and card readers over the next 18 months will mean more secure transactions for consumers and businesses. But also more of the onus for security will fall to businesses. That’s why I’ve been asking businesses since last spring to consider preparing now by installing chip card readers. Remember, businesses that cannot accept chip cards could assume the burden for financial losses from card-present fraud starting in October 2015.Steps to boost your protection
Regarding the specific threat of Backoff, the federal Department of Homeland Security is recommending the following six cash register and PoS security steps, including to:
- Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
- Install Payment Application Data Security Standard-compliant payment applications.
- Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
- Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
- Ensure any automatic updates from third parties are validated.
- Disable unnecessary ports and services, null sessions, default users, and guests.
Many businesses leave security up to their vendors, but remember it is your business and your customers who can be harmed by a cyber-attack. So please proactively work with your vendor to ensure you are protected.