Securing POS

Most retailers focus on the back end when considering how to come into compliance with PCI standards and offer their customers the highest degree of information security. They spend considerable time making sure the servers and mainframes that store customer payment information are completely secure and devote a great deal of resources to ensuring that the networks where sensitive payment data run can’t be compromised.

Often lost in all this effort is attention to the front end, but “when developing an end-to-end secure data network, it is critical that you start at the first point — the terminal,” says Christopher Justice, managing director, North America, at Ingenico, a POS terminal manufacturer with U.S. operations based in Alpharetta, Ga.

In a white paper entitled “End-to-End Security in an Open and Mobile World,” Ingenico touches on various security issues associated with the terminal, including card technologies, open operating systems and mobile devices, that retailers need to be familiar with in order to ensure they are protecting their customers’ confidential information.

Merely following a list of PCI rules isn’t always enough, Justice says. “PCI should be seen as a baseline to start with, and then retailers need to really look at their operations and [determine if they are] doing everything they can to protect their customers.”

And as new payment options evolve, and the technology to handle such payments advances, retailers have to make sure their security measures keep up with the changes.

“There are thousands of applications that run over the payment networks, and with wireless options and other various individual IT services, there are millions of options available,” Justice says.

Many retailers hire payment experts to assess their systems and provide guidance, but Justice warns against counting too heavily on outside advice.

“Two different assessors may give two different options when it comes to data security,” he says. “Retailers need to think in different ways. This is not about simply following compliance to rules: It is about cardholder security. We are past the point where you can just check off items in a box.”

Controls at every step
Among the recommendations Ingenico makes in its white paper: Terminals should be manufactured in a secure plant with controls at every step. When security keys are injected into the terminal, the operation must be performed in a secure environment where there are provisions to ensure that no one can access the keys. Any upgrades to terminals must be performed by the authority authorized to do so.

Even terminals no longer in use must be secured. Before it is destroyed, a terminal still contains sensitive firmware and data that could be desired by a fraudster, so retailers must make sure the terminal is properly destroyed once it has reached the end of its useable life, the report recommends.

Making sure terminals are secure may be the most difficult for mid-sized retailers. “For the smaller retailers that only have a few terminals connected, the job may be pretty easy,” Justice says, “and while the very large national retailers have the most complex systems to secure, they can hire the top security and IT experts to oversee their systems. Where it is most difficult is the tier-two retailers, those with about 10 to 15 stores. They have a complex network to oversee, but may only have one IT guy who has to do it all or rely on outsourced third parties.”