Point-of-Sale System Breaches - Threats to the Retail and Hospitality Industries

Source:  Point-of-Sale System Breaches - Threats to the Retail and Hospitality Industries 



PoS Systems in Retail/Hospitality Industry Networks

Point-of-sale (PoS) systems have been around in one form or another for decades. Businesses in the retail and hospitality industries use these systems not only to accept payment, but to provide other operational information such as accounting, sales tracking, and inventory management. These systems are also used to improve the customer experience through customer loyalty programs and suggestions.



From a security perspective, the most immediate risk to businesses and customers lies in accepting payments. The information customers hand over, if captured, can be used by cybercriminals to commit credit card fraud. Risk of exposure is the primary reason why the Payment Card Industry Security Standards Council (PCISCC) has established data security standards for organizations that handle the information of credit, debit, and ATM cardholders.1



PoS systems require some sort of connection to a network in order to contact external credit card processors. This is necessary in order to validate credit card transactions. How this connection is provided may depend on the store in question. For small businesses, this may be provided via a cellular data connection.



However, larger businesses that wish to tie their PoS with other back-end systems may connect 

the former to their own internal networks. In addition, in order to reduce costs and simplify 

administration and maintenance, PoS machines may be remotely managed over these internal 

networks.



Many PoS terminals are built using embedded versions of Microsoft™ Windows®. This means 

that it is trivial for an attacker to create and develop malware that would run on a PoS terminal, if 

he can gain access to that terminal and bypass or defeat any running security solutions present.



Sufficiently skilled and determined attackers can thus go after a business’s PoS terminals on a 

large scale and compromise the credit cards of thousands of users at a time. The same network connectivity can also be leveraged to help exfiltrate any stolen information. This is not just a theoretical risk, as we have observed multiple PoS malware families in the wild.