There's a massive gap between perceived and actual security, especially when it comes to point of sale (POS) — and, as the recent surge in retail security breaches demonstrates, retailers that fail to recognize this gap are paying the ultimate price. The fact is this: Even though securing customer information has become a paramount concern for many CISOs, retailers don't always have a firm grasp on the places where customer data is most vulnerable, and they might not know what questions to ask vendors to ensure the strongest security possible.
Here's a closer look at the POS security problem — and how your firm can find the vendor that's the best fit for your security needs.
Retail's POS Security Problem
Retail establishments have long been on the cutting edge of the big data movement, fully understanding how valuable that data can be when it comes to things like targeted marketing campaigns and ideal store layouts. However, collecting all this customer info has turned them into larger targets than they have historically been — and today, it appears that even as traditional corporate defenses harden, individual retail stores have become hackers' victims of choice.
As detailed in this Dark Reading article, each of the latest attacks plaguing retailers seems to focus on POS systems. And even if retailers subscribe to industry information-security standards such as PCI DSS, customer information is still occasionally vulnerable.
Why? Because industry standards ensure customer data is encrypted when it is in storage (on a hard drive or POS terminal, for example) and while in transit between a terminal and a centralized server — but, as any hacker knows, once a card is swiped, those POS terminals process the information unencrypted in RAM. Windows, Linux and many other standard operating systems will allow a given program to access the working memory of another. If hackers can install malware on one terminal, they can access customer data as it's being processed by the POS, eventually amassing tremendous amounts of stolen information.
Finding the Right POS Vendor
POS security starts with asking the right questions. Not long ago, finding a POS terminal vendor that could prove PCI DSS compliance was probably enough to assuage the fears of many CISOs, because payment-card security standards were considered extremely robust. But today, it's apparent that even these standards leave information vulnerable, and retail CISOs have to dig deeper if they want to ensure their customers' data is safe.
Initiate talks with every potential vendor by posing two very important inquiries: Does your firm understand how the latest breaches and attacks are occurring? What steps are you taking to prevent future breaches? Secure vendors will realize data is vulnerable while running in RAM, and will have moved past traditional Windows boxes to solutions that effectively segregate application memory. Making it impossible for one application to access the memory contents of another, either through a separation kernel or advanced virtualization, will remedy some of the most immediate threats.
The problem, of course, is not just preventing today's threats, but also tomorrow's. While it's impossible to predict a hacker's every move, third-party vendors that embrace forward-looking policies on security will be much more likely to react quickly once threat vectors change.
If a POS vendor is up-front about the depth of its security and touts its solution's ability to withstand detailed testing from a trusted, third-party security vendor, it shows a level of commitment that's often lacking in a world where cutting costs to improve the bottom line seems to be the norm. Such in-depth security scans, which can be performed in both active and passive software states, provide levels of insight far beyond what any security self-assessment can accomplish — and firms that opt for them will often continue to work with security vendors on future patches and releases, ensuring their POS systems remain tight against any emerging threats.
For retailers, choosing a POS vendor can be a business-critical decision. Industry-standard compliance is simply no longer enough, so vendors that go the extra mile to prove the security of their solutions have to be given precedence in these decisions. The risk is too great to trust antiquated notions like self-assessments and assurances. But by asking the right questions and ensuring vendors test early and often, your firm will be protected against almost any new trick hackers have up their sleeves.
Photo Source: Flickr