How Secure Are You

One thing that 2013 taught retailers is that all are vulnerable.  Target was just the latest in a string of retailers, national and local, that have had their security breached.  It has left customers dealing with banks that are closing accounts, canceling cards and creating confusion.  This breach in security can lead to less confidence in the retailer, lower profits and simply a very public black eye.

The question then becomes, “What steps can you take before it happens to you?” Our experts in security have come up with a short check-up for any POS system.

General Network Security


1.       Analyze and update firewall configurations. You should also make sure that only needed ports, services and Internet protocol (IP) addresses are connected and communicating with your network.  Limiting outside in traffic to the use of a VPN can simplify this situation. VPN’s are commonly used to secure administrative connections and connections between stores and headquarters.

2.       Segregate payment processing networks from other networks.

3.       Apply Access Control Lists (ACLs) on the router configuration to limit unauthorized access to payment processing networks and create strict ACLs segmenting public-facing systems and backend database systems that house payment card data.

4.       Enable and configure every computer’s firewall on your network to allow your applications to run properly. Install and maintain antivirus software on all systems within your network.


At the Register - POS Security


1.       Employ or install hardware-based point-to-point encryption. EMV-enabled PIN-entry devices or other credit-only accepting devices that have Secure Reading and Exchange of Data (SRED) capabilities are recommended.

2.       Make sure you have Payment Application Data Security Standard-compliant payment applications.

3.       Always have the most up to date operating system with the latest security patches, anti-virus software, file integrity monitoring, and a host-based intrusion-detection system. Create passwords for the system so the above cannot be altered.  

4.       Perform a binary or checksum comparison to find out if unauthorized files have been installed.

5.       Determine if and make sure that any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on POS systems.

6.       Disable unnecessary ports and services, null sessions, default users and guests. Also enable logging of events and make sure there is a process to monitor logs on a daily basis.

7.       Implement least privileges and ACLs on users and applications on the system.


Administrative


1.       Use two-factor authentication when accessing payment processing networks. It is important that two-factor authentication is implemented to help mitigate key-logger or credential dumping attacks.

2.       Limit privileges for users and applications and audit unknown and dormant users often.


Disable DHCP


1.       Plan your network in advance. Provide every device a static IP. Then disable DHCP. This will prevent your network from giving an anonymously connected device network access.

 

The last tip is to have your policy in writing and contact an expert if you have any questions at all about your security. This is a warning; no one can stop all thieves. However, with a proactive approach you can make it more difficult. Strict adherence to the above security procedures may make the thief think twice and look elsewhere for a victim.

 

If you have any questions about your current level of security do not hesitate to contact us.