Today, organizations are prioritizing security, given the increased rate of occurrence of cyberattacks. And the retail industry is no exception.
The most publicized breaches on retail include Target having records of 40 million customers pilfered in 2013, and the same attack compromised another 70 million records.
In 2018, department store chains: Saks Fifth Avenue and Lord & Taylor suffered a bad press due to a breach that exposed details of 5 million payment cards of customers. Online customers of another popular retailer, Macy’s, became victims of a data breach that lasted for nearly two months, and as a result, the retailer faced a class-action lawsuit by its customers.
Also in 2018, British Airways was hit with a data breach affecting around 380,000 customers who were using its website and mobile app. According to an article on activereach.net, “customers’ payment card details were breached but compromised data did not include travel or passport details.”
In this blog, we’ll discuss a few ways we can handle the security risks associated with one of the retail industry’s biggest areas of risk, Point of Sale (POS) machines.
While retail stores cannot function without Point of Sale (POS) machines, they pose great security risks as they are constantly connected to the internet, do not always meet IT security standards, and are accessed by multiple users for terminal updates.
Here are three ways retail organizations can keep their POS machines secure and ward off data breaches related to sensitive credit card information.
1. Tighten Software and Security Policies to Avoid POS Malware Attacks
POS malware is specifically designed for POS terminals and used to steal customer payment card data during transactions in retail stores.
When a sale takes place, payment card data is usually stored on a system by the retailer when they charge the card. This data is encrypted on the system, which is the endpoint. However, there’s a split second when the payment is processing and the data is not encrypted yet when hackers attack and steal the data.
This attack is made possible by planting malware on the endpoint. Retail organizations can be riddled with legacy systems that are difficult to patch and hence are easy targets for malware attacks. To avoid malware, retailers need to:
- Keep their POS and server endpoints updated with regular patching
- Avoid having POS endpoints that access the internet
- Have basic security layers such as firewalls and antivirus/anti-malware (AV/AM) software deployed to all endpoints
2. Invest in Employee Security Awareness Training
Protect your data by minimizing human error. It is imperative for retailers to train their IT professionals and other employees on security best practices such as access controls, password complexity, and identifying unauthorized devices on POS terminals. The training should also cover appropriate procedures for responding to suspicious activity.
3. Maintain PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) ensures the protection of payment card data with policies such as:
- Restricting access to cardholder data by business need to know
- Identifying and authenticating access to system components
- Restricting physical access to cardholder data systems
- Mandating multi-factor Authentication (MFA) for all non-console administrative access
- And more
PCI compliance, by itself, may not solely ensure complete IT security. However, retailers can leverage compliance, move beyond check-box requirements and incorporate cybersecurity best practices to maximize protection of the payment lifecycle.
To learn more about meeting the challenges facing retail IT professionals, download our eBook How to Overcome 7 Tough Retail IT Challenges.