How to prevent skimming and other POS terminal attacks

How to prevent skimming and other POS terminal attacks

As a small business owner, you may not think of yourself as a crime fighter, but perhaps you should -- your point-of-sale (POS) terminals are vulnerable to several sophisticated types of data theft. Here's what to watch out for -- and how to prevent attacks.

Types of terminal compromise attacks
Thieves can install card readers to steal data, but they may also be able to access that information through unprotected wires, switches, Internet networks and communications. Here are several examples from the Payment Card Industry Security Standards Council (PCI SSC):

• Criminals may change cables on terminal connections, adding wires that allow them to capture card data.
• A thief may add unfamiliar equipment to a cash register or POS terminal to record data. Your employees may assume that you added this equipment. In one case cited by the PCI SSC, a thief actually posed as a service technician installing an anti-theft device to the system; employees never challenged him or questioned his credentials.
• Thieves can tap into unprotected wireless networks to intercept transaction information as it is sent from the POS terminal to the processor.
• Criminals can add keyloggers to the terminal cabling, capturing key strokes that provide information on card numbers and PINs.
• Data bandits may install miniature cameras to record cardholders entering their PINs at the POS terminal.

Keep equipment out of reach
Unfortunately, once data-stealing devices are in place, they can be difficult to detect. That means you have to go on the offensive in protecting your customers' credit card data.

"Prevention is the number one thing that you have to look at when it comes to safeguarding the POS terminal," says Jarred White, penetration tester at ControlScan, a PCI compliance and security company that serves small- to mid-sized merchants. "You want to do anything you can to prevent people from getting access to the physical device itself and to prevent them from getting access to the network ports where those devices are plugged in."

If you process only a few card transactions each day, for example, you might consider putting your credit card terminal in a locked box when you're not using it, White says.

The PCI SSC recommends physically securing terminals to the payment location or alarming them so that your employees will know if someone attempts to move them. Protect cables and wiring by running them through conduits, making them harder to access. Keep as much equipment as possible behind locked doors.

Point security cameras at terminals so that you can review the feed if necessary, White advises.

"In the event of a breach or a theft of some sort you want to be able to investigate, so you want to know who was working on that shift and who came in and out of the location," White says.

Avoid network compromises
Do you provide free wireless access to your customers? If you're not keeping that wireless network separate from your payment network, you're inviting thieves to come in and snoop around.

"TJ Maxx was compromised that way, by a hacker who gained access to a network through a wireless contact point," White says. "Once he was on the network, he was able to remain there undetected and had all the time he needed to work on breaking their POS devices and gaining access to their cardholder data."

Some merchants, White says, fail to enable strong encryption or fail to use strong passwords. To avoid attacks, merchants can use network segmentation, keeping the payment processing behind firewalls so that the POS network is plugged into one port (Internet access point) and the rest of the network (including wireless access) is plugged into another.

"If you can reduce the size of your payment card environment so that people coming into your shop and connecting to your wireless access point are not connecting to your network where payment card processing goes on, you've really reduced the possibility that someone is going to access those POS terminals or access a back-end database somewhere," White says.

Because thieves may try to access the POS terminal software to install a virus or malware that can leave sensitive data unprotected, merchants should work with vendors that will update their terminals' operating systems with the latest security patches in a timely manner.

Ground rules
Your security needs will vary based on your business. Here are three steps, recommended by White, that all merchants can take.

1. Educate employees and provide strong and enforceable policies and procedures.

"Help them understand what it is they're protecting," said White. "Their role is not only to take payments but to protect the data, protect consumers and protect the business."

2. Require routine physical inspections of the area around your terminals. Make sure that employees keep an eye on those areas as well, and look for POS terminals and related equipment that are out of place.
   
   "Keep an eye on customers who seem to be being nosy, or who are looking at areas where they shouldn't be looking," White advises.

3. Work with the right POS terminal vendor.
   
   "Make sure that you select vendors, applications and hardware platforms that have a commitment to security," White says.

4. Look for companies that are on the Payment Application - Data Security Standard (PA-DSS) -- a list of payment applications vetted by the PCI Security Standards Council.

Still feeling overwhelmed by security threats? Seek professional assistance.

"There are many managed security providers out there and they offer monitoring and consulting services that come in all shapes and sizes and pretty much fit every budget," White says.

See related: Expert Q&A: A PCI primer for brick-and-mortar merchants, What to do after a data breach

Published: October 5,2023