Protecting credit-card numbers from increasingly savvy hackers can be a daunting task, especially for single-store operators without the IT knowledge and personnel. But retailers, regardless of their resources, must still do what they can, considering how credit-card data theft was an $8 billion industry last year.
Hackers are writing software specific to point-of-sale (POS) systems. And if allowed to enter the network where credit-card data is housed, it may be stealing numbers without leaving any signs for retailers to spot, Brad Cyprus, chief of security and compliance for VendorSafe Technologies, told about 100 attendees at an educational session last week at the 2012 NACS Show in Las Vegas.
One of the main mistakes he still sees in his line of work is retailers who allow employees to go onto the Internet from the same network that the POS rides on. “It’s a huge majority of small operators,” Cyprus said. “It’s a problem that spending $300 on a separate computer will solve.”
He suggested other steps as well, inclusive of having third parties run “external vulnerability scans,” where they essentially try to break into a retailer’s system using any number of hacking techniques. Another step is to consistently monitor results of these scans and fix issues. It’s a follow-through step that some retailers fail to do.
Other speakers on the panel contributed suggestions as well. Shekar Swamy, president of Omega ATC, St. Louis, stressed that systems deemed compliant with Payment Card Industry or PCI standards need to be updated and kept current. Retailers must be diligent about running patches sent by vendors to update software, and making sure all software is current.
Take care of the basics, Swamy said. Install a firewall that will identify and fend off intrusions. Consider two-factor authentication, especially if staff has remote access to programs—possibly a password plus either a key fob or a smartphone application that triggers access. And most importantly, he said, keep the POS network separate from other systems. “Some people are putting it in a separate, closed environment,” he said.
Taking steps such as these allows the ability to track who is entering the system and when, Swamy said. Agreeing, Cyprus noted that breaking down access to indicate specific uses—vs. all authorized users going in under an “admin” user name—is part of the solution, as is restricted, tiered access with access based on what’s needed.
Finally, Liz Garner, director of commerce and entrepreneurship at the National Restaurant Association, said restaurant operators, many of whom run single locations, encounter the same challenges and concerns that convenience store retailers do. She said, for those retailers, cost represents a huge barrier to compliance and overall data security.
Another facet to the evolving issue of security is mobile payment, Garner said. It’s an emerging threat retailers need to be aware of. (Angel Abcede, CSP Daily New: www.cspnet.com)
