The Security Vulnerabilities of PoS Systems and How to Address Them
Susan Rajan | November 21, 2019
Point-of-Sale (PoS) systems are rapidly becoming the technology of choice for retail businesses as an all-in-one solution. Be it inventory information, stock handling, sharing customer data across stores, or managing business expenses, PoS systems have proven to be quite effective in providing a robust digital database for the retail sector. PoS systems have gained preference over cash due to several advantages they offer, like the ease of use, greater accuracy, detailed receipts, and error-free checkouts. However, the rapid growth of PoS transactions across the retail industry also raises some security concerns.
How Safe is the Payment Process over PoS?
According to the recent statistics, there are multiple attacks on PoS systems every minute in retail outlets, restaurants, and hospitality industries. With more advanced technologies coming in use of late, there is a significant rise in threats like cyber-attacks and data thefts. Reported data breaches are growing drastically every year. However, several breakthrough fraud detection technologies have come up to bring down the risks involved in using cards over PoS terminals.
What Actually Happens When You Use Your Card to Pay at a Restaurant or Supermarket?
When your card is swiped at the card reader, it captures the card data and transfers the information to the PoS terminal. The PoS terminal then encrypts the data and sends it to the retail server. Then, the retail server decrypts the data, briefly exposing it, and further re-encrypts it to transmit to the payment gateway. Once at the gateway, the card information is re-decrypted and sent to the bank for processing.
Through the entire payment process, data is exposed several times, thereby making it vulnerable to cyber-crimes like hacking.
The top pick of hackers to get the credit card information is to install an automated malware. This malware infiltrates networks, systems, and workstations, looking for unencrypted cardholder data. This data is, then, sold on the dark web for big money.
So What is the Solution and How Can Customers be Safeguarded?
Point-to-Point Encryption (P2PE) is regarded as one of the most standard payment security solutions, which instantly converts the confidential payment card data into indecipherable code, the moment the card is swiped at any PoS terminal. P2PE solutions minimize fraud and invasion from malicious activities like hacking.
“In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor.” Using encryption for card payments alters the payment card data into an indecipherable format and renders it unusable by hackers and cyberpunks as they have no ways to invert the data back to its original form. The PCI-validated P2PE solutions provide not only P2P encryption, but also validated hardware, software, and solution provider processes and environment. Hence, one of the most secure ways to safeguard the valuable cardholder data in PoS systems is the PCI (Payment Card Industry) validated P2PE solutions.
Let’s look at how the P2PE works in a PoS system.
When you swipe your card on a P2PE secure PoS system, the devices or readers used are already integrated and PCI-compliant, which means they all have a key in them even before the merchant can see it. When the card information is swiped through these peripherals, it is encrypted immediately. Therefore, P2PE protects payment card data from the point of capture until the secure decryption endpoint. In P2PE, the card data is encrypted by a one-time encryption key as soon as the card is swiped at the card reader. The card information remains in the encrypted form as it is transmitted to the point of sale terminal, then to the retail server, and further to the payment gateway. This one-time key is highly secure and is destroyed after every use. The decryption keys are stored in a Hardware Security Module (HSM) at the payment gateway. Once the data is decrypted at the payment gateway, it is sent to the acquirer for approval.
So What if Fraud Happens Even with a P2PE-enabled System?
Majorly, P2PE makes PoS payments secure as they are encrypted and have fraud-monitoring abilities, which result in fewer security breaches. In case of any fraudulent event, the P2PE solution provider is accountable for data loss and consequential penalties that may be assessed by the card companies like American Express, Visa, MasterCard, Discover, and JCB. The PCI Security Standards Council does not assess fines on solution providers or merchants.
Have PoS Systems Become Completely Secure Now?
While the attacks against PoS systems are decreasing, it does not mean they will clear out completely. Cybercriminals will continue to target vulnerable and compromised PoS systems as long as there is a market for stolen credit cards. However, with the retailers essentially switching over to secure EMV (Europay Mastercard and Visa) cards, P2PE and tokenization have proved to be effective in curbing such scam activities to a great extent.
An all-inclusive payment security solutions, including encryption, has become mandatory for businesses to avoid data breaches and secure transactions. Some of the PoS security practices include the use of only PCI-compliant devices, constant surveillance of physical devices to prevent tampering of wires, placing hidden cameras, and avoiding the connection of PoS to any external networks.