Is Your POS System Secure?

How to protect your POS system from security breaches

When national retailers, government databases and celebrity photos make headlines for electronic data breaches, it’s easy to think hackers are only after splashy targets.

The reality is food and beverage ranks as the second most frequently compromised industry, according to Trustwave’s “2014 Global Security Report.” In fact, point of sale (POS) breaches accounted for 33 percent of its investigations. 

Restaurants are particularly susceptible to data intrusions because they generally have limited time, knowledge and resources for security, says Avivah Litan, security analyst for Gartner, an information technology research and advisory company. 

“They’re not focused on it or equipped to deal with it, and they typically use vendors that don’t invest much in security,” Litan says.  

To combat hackers, experts recommend a variety of safeguards designed to keep restaurant networks from becoming vulnerable.

Employ a point-to-point payment encryption system, Litan says. This encrypts the data inside a POS card reader until it reaches the payment processor. If hacked, the information would have no value because it would not contain any card numbers or personal information.

“They (restaurants) should look for vendors that offer it and insist their vendors supply that to them,” Litan says. “If they say they won’t, switch vendors. It’s that important.”

Isolate Your POS

Eliminating remote access for your POS system—so it’s on its own network and not attached to any Wi-Fi or other administrative network—also deters data intrusion.

“The Secret Service has identified remote access as one of the major causes of breaches in restaurants and small businesses today,” says David Matthews, executive vice president and general counsel for the National Restaurant Association. “If a user can dial into a POS system from a remote location, that’s an open invitation to get into your system and steal data.”

To identify breaches as early as possible, Matthews suggests restaurants scan their networks on a regular basis  for unauthorized intrusions or abnormal system behavior.

“You don’t see a broken window or an unlocked door,” he says. “If (restaurants) don’t do regular scans, the first time many people know they’ve been hacked is when they get a call from law enforcement or from a customer saying their information has been compromised.”  

Craig Dunaway, president of Cincinnati-based Penn Station East Coast Subs, has taken that measure one step further after suffering a breach in 2011.  

The company’s systems are monitored 24/7. Even though its restaurants are individually owned, Penn Station has given the monitoring company a list of approved sites for transmitting data. 

“If they see any deviation, they’re to let the franchisee know, and if it’s a problem, the franchisee will let us know,” Dunaway says.

A Multitiered Approach

Employing a layered approach is the most effective protection, says John Pearson, director of data security and compliance for transaction technology provider NCR. A security plan should include encryption, firewalls and tight passwords. 

“All systems, including POS systems, regardless of provider, can be targeted by malicious software,” he says. “Following one or two guidelines is not enough to secure your environment.” 

Operators shouldn’t scrimp on network security, Dunaway says. 

“Credit card processing is complicated so you need to constantly monitor and evaluate and work with a professional. While it may seem expensive, it’s a lot less expensive than a breach can potentially be to the merchant. Just because you can take someone’s credit card, swipe it through a machine and get your money the next day doesn’t mean you’re safe.”  

Never Too Safe

Experts suggest these additional tactics to help safeguard a restaurant’s POS system.

- Change all default passwords and institute a strong password control policy among employees.

- Update software and virus protection programs regularly to identify and combat the most recent viruses and malware.

- Train staff to be aware of those who tamper with the card reader equipment.

- Install a strong firewall that prevents people from accessing your system over the Internet.