Retailers adopt proven strategies to curb POS breaches

Security breaches at the point-of-sale don't just impact business operations and customer loyalty, they strike an expensive and damaging blow to a retailer's bottom line.

As a result, POS security has taken top priority for many retail executives, Chris Ciabarra, co-founder and chief technology officer of Revel Systems, told FierceRetailIT. Best practices such as those involved in point-to-point encryption, Payment Card Industry Data Security Standards and the new EMV chip cards combine for a robust defense against cyber attacks.

Legacy POS systems can be especially vulnerable to breaches since POS security measures often lag behind other technologies. A December 2014 survey of 84 retail CIOs by Forrester Research and the National Retail Federation found that data security and POS upgrades were among the highest-priority technology projects for 2015.

"Security has been ignored in the POS space for far too long," Ciabarra said. "With last year's hacks at major retailers, including Target and Home Depot, security is top of mind for both retailers and consumers. Millions of cardholders have had their credit card data stolen by hackers who prey on vulnerable checkout systems. This has both serious and expensive repercussions for retailers who face the cost of investigating such breaches and often paying exorbitant fines, not to mention the damage to retailers' reputation among consumers."

Retailers can protect their customers and their business with POS technology that prevents cybercriminals from reaching their system's data. "My advice is to choose point-to-point encryption hardware that's compliant with Payment Card Industry Data Security Standards and to implement multiple safeguards," he said.

These include: not storing credit card information in the front end of your POS system; not storing credit card information in the cloud; making sure that credit card information goes directly from the card swipe into the payment processor; tokenizing credit card information that must be stored; and using POS security features that help identify theft.

"Look for solutions that mitigate risk by tracking the sales personnel who log in to process transactions via video and passwords," Ciabarra said.

Among Revel's customers, PCI Compliance and EMV are hot issues, "and I can't stress point-to-point encryption enough," Ciabarra said. PCI/P2PE compliance ensures that business and customer data is safe and secure and that credit card information is safely and securely transmitted from the POS system to the financial processors.

Another advantage to the P2PE device is that each one is built with a tamper-proof chip that protects its internal data when a hacker takes the device apart.

"While some experts blame the past year's retail hacks on POS weak spots, I emphasize that the standards are in place to protect you. Unfortunately, many merchants, to this day, dance around PCI standards or oblige them using the lowest possible denominator. This puts profits and customers at risk. With these best practices in place from the onset, retailers can count on their business to be secure well into the long run," Ciabarra said.

The biggest new development in POS security is the Europay, MasterCard and Visa chip card. The EMV standard is accelerating globally with 70 percent of terminals outside the U.S. compliant, but it has been slow to catch on here.

"The EMV standard reduces fraud through chip-enabled cards and chip-enabled terminals, which are far less vulnerable to hacks than the traditional magnetic strip cards," Ciabarra said. "The chip-enabled standard is significantly more secure, and retailers who don't adopt this standard are putting themselves and their shoppers at risk."

EMV also shifts the liability to merchants and issuers for fraudulent transactions.

In addition to getting ready for EMV and adopting point-to-point encryption hardware, Ciabarra said retailers need to adopt as many payments options as they can while maintaining stringent security standards. "Retailers have to balance being flexible to customers' payment preferences, while protecting their data. It's a juggling act of providing excellent customer service and top-level security. With the rise of numerous payment options, from Bitcoin to Apple Pay, 2015 is the year when retailers will become more flexible to consumer preferences and more secure. Retailers need to choose a POS system that balances customer experience with security."

For more:
-See Revel's website
-See Revel's blog

Related stories:
Target proposes $10 million settlement for 2013 data breach
Backoff malware widespread, PCI Council issues call to action
How to prevent Target-like data breaches
Retailers still unprepared for security breaches
Data breaches add up to lost sales