Point of Sale (POS) Security Checklist

Point of sale (POS) systems are at the heart of retail operations. They contain many components, from receipt printers to software used to store and manage customer data. The importance of POS systems provides an important opportunity for complex cyber attacks launched by attackers in POS environments.

See Also: Point of Sale (POS) Security Issues

Preventing cyber threats related to POS systems seems like a never-ending job for retailers, but managing POS security can be a daunting task, primarily when retailers rely on networks of large numbers of devices, users, and vendors.

The data transmitted and stored by POS systems is desirable due to the wealth of personal and financial information that cybercriminals can use and sell.

See Also: How to Protect Your POS System from POS Malware

Merchants are responsible for ensuring that their respective payment systems and infrastructures are secure. Traders are the first line of defense for POS fraud and execute the vast majority of controls recommended or required by PCI SSC.

Merchants can achieve appropriate levels of security and trust at the point of sale by taking all necessary countermeasures into account and all factors that may affect overall safety in terminal environments.

It is difficult to stop cyber threats permanently, but it is possible to improve POS security with simple precautions. You can keep your network, users, and devices safe by using our POS security checklist.

POS Security Audit Checklist

  • If there is evidence of tampering, do not use the POS device. Examples of POS tampering might be broken gaskets, screwless parts, different cables.
  • Make daily checks. Routine inspections of your facilities will help you uncover card reading devices and other illegal equipment before scammers have a chance to use them.
  • Take care of your terminal. Your PIN pad is just as valuable to criminals as cash, so treat it with the same care.
  • Get to know your staff. Scammers can operate inside your business as efficiently as outside, so it’s important to practice due diligence when hiring and supervising employees.
  • Checking the Pin Pad Serial Number. Check the serial numbers of both the terminal and the PIN pad to verify sure neither device has been modified when it comes to a device that scammers use to “review” or collect magnetic stripe data and PINs.
  • Security Seal Inspection. Check the PIN pad for broken or altered parts or security seals.
  • In case of breakage of terminal labels showing product details and serial number;
    • Compare the electronic serial number to the serial number on the back of the terminal.
    • Run your finger across the label to check that it’s not hiding a compromise.
  • In case of breaking the security seal;
    • Examine the seal on the POS device to see if it has been cut or used a fake seal in place.
  • If there are screw holes or seams that indicate the device has been opened;
    • Check label location, color and materials used.
    • Look for any signs that the label has been tampered with or deleted.
  • Check if there is a review device attached to a terminal.
  • Check the POS device SIM card cover plate for handheld scrapers used by corrupt personnel.
  • In case of foreign electronic equipment connected to the terminal or cash register or network connections;
    • Examine for strange or unusual equipment connections.
  • Require all repair technicians visiting your location to log in, verify their identity with photo ID, and remain with staff during any work on PIN pads in case of unannounced technical service visits.
  • For Cable Change Control;
    • Keyloggers connected to the cable. Examine the cable connected to the device for any small equipment that may appear to be part of standard wiring.
    • Changes in terminal connections. Examine any changes in the cable used to connect the terminal to the central unit or any additional wires that are not part of the wiring.
    • POS devices connected to the telephone exchange. Examine phone boxes for devices that record streams, such as voice recorders or MP3 players.
  • For physical security controls of POS devices;
    • Mount the PIN pads securely to the meter or keep them out of reach of unauthorized users.
    • Have a regular visual inspection of each POS device to look for possible signs of tampering.
    • If the POS device’s seal is broken, do not use it.
    • Provide security cameras with a clear view of POS devices and PIN pad terminals to assist investigators if security is compromised.
    • Keep backup POS devices locked to prevent unauthorized access.
    • Require all visiting repair technicians to log in with their name and company information.
    • Change the default administrator password of the POS device.
    • POS device requests must be approved centrally and come from the authorized provider only
    • Contact relevant departments if evidence of tampering or device replacement is found.

Security Guidelines for POS Devices

  • Inspect your POS equipment regularly.
    • If there is anything that seems unfamiliar, changed, or missing, notify the authorized persons immediately.
    • Make sure you give your customers enough space to protect their PIN key when entering their number conveniently.
    • Make sure that the security cameras in your facility do not capture the PIN entered by the customers.
    • Allow the client to hold the PIN pad until the transaction is complete and never enter a PIN for a client.
    • In your facility, look for gaps in the ceilings, walls, or shelving near PIN pads that could conceal a small camera.
    • When not in use, store the PIN pad under the counter or out of reach of customers, but do not unplug it.
    • Establish a procedure that requires all visiting repair technicians to log in with their name and company information and follow the serial numbers of all devices installed, removed, or replaced.

Best Practices for POS Security

Here are the various measures you can take to improve POS security, prevent POS malware infection, and prevent POS data breaches:

  • Encrypt all POS data at login and decrypt only when it reaches the payment processor.
  • Implement the application whitelist that allows only required applications to run on a POS system. All applications that would typically add risks, such as web browsers or email, are blocked, thus preventing malware infection through these channels.
  • Keep your POS software up-to-date by installing software updates that contain important security fixes, often applied due to newly discovered vulnerabilities. Patch management is critical to a secure system.
  • Perform regular vulnerability tests to identify vulnerabilities. Implement procedures or safeguards that address the identified vulnerabilities.
  • Monitor all activity and data on POS systems for any abnormal activity and signs of threats.
  • All networks utilized by POS systems should be segmented.
  • Always use two-factor authentication and complex, secure passwords.
  • Constantly run antivirus software, regularly scan systems for malicious files.
  • Consider physical security for your POS system. Cybercriminals may try to attach card skimmers to a POS device to steal customer credit card numbers when they scan their card for payment. Train employees to be vigilant against such actions.

POS security is challenging due to the multitude of known and unknown threats and the value of POS system data to cybercriminals. Also, the number of threats faced by POS systems continues to increase as new POS malware is created all the time.

Because of the risks that threaten POS security, you need to prioritize POS security. POS systems handle sensitive customer data, and breaching customer payment information can be costly. By implementing measures to protect your POS systems and processes and educating your staff on POS security policies, you can significantly reduce the likelihood of an expensive POS security incident.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Related posts

Latest posts

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!