POS Data Security
How Can Retailers Keep Their Data Safe?
Recently, both Visa® and Discover® sent out security alerts about retail data security breaches that indicated unauthorized access of merchant point of sale (POS) environments and ultimately to access payment card data.
Below are the examples of common remote access vulnerabilities - several of which were indicated by both Visa and Discover as being the cause, or a contributing cause, to the recent POS data breaches - as well as recommendations to address these vulnerabilities.
Remote access ports and services always available on the internet. An intruder can easily perform a port scan against a merchant’s IP address space and identify potential access points. Remote access applications (e.g. LogMeIn®, PCAnywhere®, VNC®) – commonly used to support retailers – often run on predictable, well-known ports.
Recommendations: Ensure firewalls are in place and only allow remote access from known IP addresses; contact your support team or point of sale provider and verify that a unique username and password exists for each of your remote management applications; use the latest version of remote management applications and ensure that the latest security patches are applied prior to development.
Outdated or un-patched applications and systems. Older applications and operating systems (e.g. Windows XP®) are susceptible to attack and easily exploited.
Recommendation: Merchants should migrate away from outdated applications and operating systems as soon as possible.
Use of default, weak or common passwords, or not using a password at all. The Discover alert stated that, “The results of recent forensic investigations revealed that the use of default/weak passwords with lack of two factor authentication in conjunction with remote access are significant contributing factors in these data breaches.”
Recommendations: Do not use default or easily guessed passwords; always use two-factor authentication for remote access. Two factor authentication can be something you have (a device) or something you know (a password).
Vantiv Integrated Payments is committed to working closely with our merchants as well as developers to help them ensure they are staying out ahead of potential security issues as well as maintaining compliance with Payment Card Industry-Data Security Standard (PCI-DSS) guidelines.
View the Visa Security Alert or the Discover Data Security Alert.
Get An eBook All-Access-Pass
- eBook About POS
- Grow Your Business Guide
- Improve Your Business
- 5 Steps Secure Your Business
Subscribe to our blog and get an all access pass to our past, present, and future eBooks for FREE.
At Your Fingertips
It's a big job to buy the perfect POS System. This is a robust guide to get you equipped to ask all the right questions to potential providers.
With this FREE service we can point you in the direction to providers who can meet your needs, and potentially exceed your expectations.