POS Security – How to Avoid POS Hacking

Transaction fraud is a serious threat to the profitability of a business, and its reputation among customers. Combatting hackers and keeping customers safe from these threats should be made a top priority for any business, but it takes the right kinds of systems and a comprehensive approach to cybersecurity in order to make this a reality.

The way hacking occurs in the real world may not have the flash and flair of what’s shown in Hollywood movies, but the impact of computer-based security attacks is certainly as real as it gets. Countless dollars can be lost, personal information can be stolen, and lives can be seriously disrupted by hackers who are looking to pad their own bank accounts or simply just cause chaos in the world. For a business, simply the thought of hacking POS systems is enough to make anyone lose sleep.

Businesses around the world handle personal credit card and debit card information all day long as they process millions of transactions through their POS systems in-stores and online through e-commerce platforms. What happens when a business experiences a security breach that causes credit card numbers to fall into the hands of a hacker? The damage can be severe for both customers and for the business. This is why it’s important to understand the potential risks of a hack to a point-of-sale system, and what can be done to prevent such an event from happening.

To give you some idea of the scope and severity of POS hacking, one only needs to look at the tragic story of Target and its massive 2013 data breach. During the holiday season that year, hackers were able to gain access to credit card and debit card information from up to 40 million individual shoppers who had visited the nationwide retailer. The financial impact to Target from this hack is estimated to be over $200 million, including an $18 million dollar lawsuit settlement. Of course, there was also significant damage done to consumer trust in the Target brand, which can’t necessarily be valued in dollars and cents, but most definitely has had a long-lasting impact on the business.

How Can Credit Card Machines Be Hacked?

“Can a credit card terminal be hacked?” is a frequent question that businesses often ask of their payment processing provider, and it’s certainly an important one to address. The possibility of credit card terminal theft needs to be taken very seriously, and comprehensive security measures must be put in place to minimize the risks to customers and businesses alike.

There are several different types of digital attacks that hackers might use to attempt to gain access to business systems and acquire sensitive information. This type of infiltration could occur through software that is secretly installed onto business computers, while other methods of subversion attempt to manipulate people into taking certain actions or providing sensitive information that can be used to circumvent security measures and capture valuable data.

Malware

One of the most common methods hackers use for acquiring access to internal POS systems is with the use of malware software programs that secretly exploit vulnerabilities on business computers and gather data such as credit card numbers, account details, and other types of sensitive information. Malware can be distributed in a variety of ways, such as by accessing infected websites from business computers, downloading unverified software programs, or opening attachments on emails from unknown senders.

Malware can be installed without any visible notification or signal to the user that something is wrong. This means it can easily go unnoticed while the malware performs its nefarious purposes behind the scenes as the user goes about their business, completely unaware of what’s happening. Sometimes the malware is not designed to gather the sensitive information itself, but rather is specifically for the purpose of opening a virtual door for the hacker to gain direct access into the POS system software.

Phishing

Another approach commonly used to gain unauthorized access to business computer systems is known as ‘phishing’, which is when fraudulent emails or other illegitimate digital communications are sent to unsuspecting users. Phishing messages are crafted in such a way as to attempt to trick people into revealing sensitive personal information, such as passwords or other types of account access details. In many cases, they are designed to mimic official communications from many of the businesses and organizations that we know, such as banks for example.

A typical example of phishing is when a scammer or group of scammers sends out an email blast that is simulated to appear from a major trusted financial institution. In this fraudulent email, there is often a message that convinces the recipient that there is some type of problem with their account that needs to be addressed immediately. To convey urgency and create confusion for the recipient, the language is often aggressive and commonly includes threats of penalty fees or even legal action, which are all intended to instill panic.

These messages will also include a link to click or a phone number to call to address the issue, which will inevitably lead directly to the scammers who request personal information such as credit card details or personal account login credentials in the guise of ‘verification’ or ‘authorization’. Once the unsuspecting individual hands over these details, their account becomes compromised and the scammers then proceed to extort the individual or simply steal funds and other assets before anyone becomes aware that the fictitious problem that prompted the email is not actually legitimate.

Skimming & Physical Data Theft

Purely digital attacks aren’t the only way scammers and hackers capture credit card or debit card data. Sometimes they’ll take a more direct hands-on approach using a physical device to capture information right at the source. This process, known as ‘skimming’, requires installing a small digital scanner or card reader onto a physical POS terminal, which then transmits the swiped card data back to the scammer. In some cases, hackers will find a way to gain entry to the store after hours to install the device on the business’ point-of-sale terminals. In other cases, skimmers could be installed at self-serve payment kiosks, for example, a pay-at-the-pump gas station, where scammers can install the device quickly and subtly without attracting much attention from employees or passersby.

While the types of attacks that hackers use to capture valuable business data can come in many different variations, they are generally all taking advantage of the same types of vulnerabilities. So, what puts one company at greater risk than another for having their POS system hacked?

Factors That Increase the Risk of POS Hacking

The factors that contribute to how vulnerable POS systems might be to hacking or other types of malicious digital attacks are quite common in many different organizations. Often these vulnerabilities are dealt with according to a cost vs. risk analysis. Each company will need to take a slightly different approach to mitigating these risks depending on the nature of their business and the resources required. When a business thinks about various approaches on how to avoid credit card theft, it’s critical to consider each of these factors and ensure that appropriate resources are invested to provide greater security to customers and to the business.

Age of Hardware & Software

Operating systems and hardware are in a constant state of evolution, with current equipment being far more secure than products released even just a few years ago. Depending on how up-to-date a business’ hardware and software systems are, the risks can vary significantly. In general, software companies will provide updates, patches, and upgrades for their products throughout their useful life, so it’s very important that these improvements are applied as soon as they are available to reduce vulnerabilities as they are identified and minimize the risk of exploitation.

Anti-Virus, Anti-Malware and Firewalls

Above and beyond maintaining up-to-date operating systems and business software tools, additional security software provides a more comprehensive shield against malicious attacks. Anti-virus tools help prevent infection of business machines with harmful software that can weaken the integrity of other security measures. Anti-malware programs work to identify malware files and scripts before they can be installed, as well as detect and remove any that might already be present on a system. Firewalls provide another layer of filtering between the outside internet world and the systems inside a business, preventing known malicious sites from being visited and requiring stricter user authorization before allowing access to any internal systems.

Training of Personnel & Security Education

While it’s true that tools like security programs and firewalls can provide a strong defense against hackers, they are simply not able to stop an individual from providing passwords or account details through a phishing scam. This is where comprehensive training for business personnel becomes so critical. As scammers become increasingly creative in their attempts at circumventing the protective measures put in place by IT teams, it is crucial for employees to be educated on how to spot malware and phishing attempts before a hack attempt can do any damage.

 

POS Encryption and Tokenization

Another action your business can take to reduce the risks of transaction fraud due to POS hacking is by updating your terminals with the latest in NFC and tap-to-pay technology. Unlike older types of terminals that use magnetic stripe readers, contactless payment technology encrypts each individual transaction before it is sent through the payment gateway for authorization. Tokenization refers to a process where the credit card number is replaced with a unique, random ‘token’ during the authorization process for each individual transaction, rendering the data unusable for any other purpose. This end-to-end encryption makes it impossible for data thieves to extract any usable credit card numbers or personal information as information is transmitted between the merchant and the customers’ bank.

Reinforce POS Security with the Right Merchant Services Provider

As you can see, there are many ways your business can take steps to minimize the risks of hacking to your POS system. Another way to bolster your business’ security and provide even greater assurance to customers that their data is safe and sound is by partnering with the right payment processor.

MONEXgroup offers a wide variety of contactless payment processing solutions that are engineered to provide the highest levels of transaction security and POS data protection. Plus, we provide 24/7/365 customer support and expert technical service, working with you to put effective point-of-sale security measures in place. The integrity of your business and the security of your data is of utmost importance.

With MONEXgroup as your merchant services provider, you can be confident that your business will have the POS technology and the support you need. Contact us today and we will be glad to provide you with more information.