Protecting your point-of-sale devices from malware

David Pollino
Posted by David Pollino

Does your cash register have a virus?

It’s not a farfetched question in the wake of a government warning on malware that has been found in point-of-sale (PoS) devices at more than 1,000 businesses.

Female server's hand passing a coffee cup while recording the transaction on a touch screen register.The Backoff bug

This newly disclosed threat, known as Backoff, is capable of recording keystrokes and syphoning off information from a business’s transaction terminals. Compromised PoS systems can result in businesses and their customers losing data such as names, mailing addresses, credit or debit card numbers, phone numbers, and e-mail addresses.

This latest news is another reminder of the importance of sound security procedures. All businesses should have a program for installing security updates and antivirus controls, firewalling, and managing strong passwords on PoS terminals and on systems involved in credit card transactions.

New risks around debit and credit card transactions seem to pop up weekly. The shift to EMV (Europay, Mastercard, and Visa) chip cards and card readers over the next 18 months will mean more secure transactions for consumers and businesses. But also more of the onus for security will fall to businesses. That’s why I’ve been asking businesses since last spring to consider preparing now by installing chip card readers. Remember, businesses that cannot accept chip cards could assume the burden for financial losses from card-present fraud starting in October 2015.

Steps to boost your protection

Regarding the specific threat of Backoff, the federal Department of Homeland Security is recommending the following six cash register and PoS security steps, including to:

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
  • Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
  • Ensure any automatic updates from third parties are validated.
  • Disable unnecessary ports and services, null sessions, default users, and guests.

Many businesses leave security up to their vendors, but remember it is your business and your customers who can be harmed by a cyber-attack. So please proactively work with your vendor to ensure you are protected.

Reminder: All comments are moderated prior to publication and must follow our Community Guidelines.

Submit an Idea

[contact-form-7 id="32" title="Share An Idea"]

You are leaving the Bank of the West Change Matters site. Please be aware: The website you are about to enter is not operated by Bank of the West. Bank of the West does not endorse the content of this website and makes no warranty as to the accuracy of content or functionality of this website. The privacy and security policies of the site may differ from those practiced by Bank of the West. To proceed to this website, click OK, or hit Cancel to remain on the Bank of the West Change Matters site.