Why You Need Security Audit for Your Point-of-Sale (POS) System
The majority of the POS system are not stand-alone systems. They integrate with other systems such as CRM, finance, warehousing, inventory management, or data backups to provide a complex service to end-users like retailers, hotels, restaurants, and hospitality service providers.
It’s clear that POS systems are a source of important and valuable data, and have the power to either speed up the progress or to stop the development of a company, depending on whether or not they are used. POS data is a business asset.
Despite this vital importance, such an asset is not afforded the protection it deserves.
Threats from POS systems
Data leakage: Assets are targets for threats. In the case of POS systems, we are talking about data leakage which directly endangers the business through both regulatory fines e.g. new upcoming EU regulation regarding General Data Protection – GDPR and from the loss of the reputation.
Data theft: Another threat is the accidental modification of data by accident, or data being deliberately changed by a malicious third party. Data alteration or data loss results in you making the wrong business decisions, leading to the loss of your position in the market. In general, any data theft or data alteration leads to a potential competitive disadvantage, and gives your competitors the upper hand. Dysfunction of the POS system or the inability to gather POS data is similar to data loss.
POS system vulnerabilities
Software bugs: A POS system is a complex piece of software - and all software is liable to suffer from bugs. Updates and patches are a real must, to ensure that your POS systems are up to date and running as they should- but relatively few people bother to take the time to perform these updates.
Long life cycle: Another threat is related to the long lifecycle of the POS system. Because of the single-purpose of the POS system, it is not necessary to replace it with a newer model. Old models are used for years. Update of the software contains the newer parts (e.g. electronic evidence of payments support), but the core of the system remain the same. It's not far ago when the ATM machines were equipped by Windows XP – 15 years old operating system.
Public network: POS systems is still connected to the data network, and are usually placed in a public area. This enables unauthorized direct access to the POS system (e.g. from the cleaning company employees), or remote access via the data network. Remote POS data access or data eavesdropping during communications is difficult to detect. Unfortunately, the connection of the POS system is required in order to keep all data accurate and up to date.
All mentioned vulnerabilities are permanent problems.
How big is the risk?
The level of the risk related to the threats varies case by case. Determining the risk is often difficult, even for large enterprises with experienced employees in their risk department.
What we do know, though, is that GDPR may impose fines from 2 % to 4 % of global company turnover. Reputation loss affects company value. Loss of the position, data theft, data loss, and data modification affect sales ability. To make a quick estimate, such risks can account for a 2% loss to your company’s value and a 2% revenue decrease.
We’re using three companies of different sizes to illustrate the impact of fines:
|Company Number/Type Size||A big-size retail company||A medium-size retail company|
|Company value||1 billion EUR||40 million EUR|
|Annual revenue||100 million EUR||4 million EUR|
|Annual company turnover||100 million EUR||4 million EUR|
|A single data leak price is up to||26 million EUR||1 million EUR|
How can you mitigate risks?
Avoid the risk: One way is to avoid risk by not processing any sensitive data - however, this is clearly impossible for POS systems.
Transfer the risk: This is difficult too, though, because where and to whom do you transfer the risk?
Accepting the risk is another approach, but that means the following:
- You hope that hackers spare your POS systems and your business.
- You accept whatever legal fines may come from a data breach.
- You lose your customers and damage your company’s reputation.
The only approach that works is to reduce the risk:
To effectively reduce the risk related to the unauthorized data manipulation, it best to perform an in-depth inspection of systems which deal with sensitive data. The inspection has to be done from the architecture point of view (to reveal the critical and the most unprotected parts which represent major vulnerabilities), and from the source code perspective (to reveal mistakes in the application logic and the sensitive operations like authentication and authorization). The result of the inspection is a set of recommendations on how to harden the whole system surrounding sensitive data. After the fixes have been carried out, it’s time to perform a penetration test to prove that all fixes were done properly.
It is important to say, that a security audit is not a fight between developers and auditors. Instead, it is a cooperation to produce better result, better application, and better ecosystem. To reduce the risk and to protect company assets from getting stolen or misused, it is better to be a step ahead of hackers by timely inspection than be an entry in the breach list e.g. on https://haveibeenpwned.com.
Learn how we help O2 build and operate a large fleet of point-of-sale systems securely and reliably. Their POS solution is current the fastest selling and most used in the Czech PoS market.
If you’d like to get a true assessment of the security of your POS system and its backend, ask us about our Security Audit. Alternatively, see our POS system management solution to know how we can help you build and operate your POS system in a secure and reliable manner.
Data encryption tool for GDPRMore information
You Might Be Interested in Reading These Articles
Distributed Denial of Service (DDoS) is a form of cyberattack which makes the target internet service inaccessible. “Distributed” refers to the fact that the attack comes from multiple sources, to have a bigger impact on the target, as it cannot cope with such a large amount of traffic. In recent years, DDoS attacks have become more and more complex, with many combinations of different attach approaches being used.
Published on February 07, 2017
In June 2017, two information security firms researching the 2016 hack of the electricity grid in Ukraine announced that they had identified the malicious code used to shut down power stations and leave thousands of households and businesses in darkness for several hours. The malware used to target the Kiev power grid has been named Industroyer, and it serves as a sobering reminder about the dangers faced by the Industrial Internet of Things (IIoT).
Published on September 05, 2017
Can you imagine leaving your house without locking the main door while you are out? I guess not. Locking the door is a routine that we're doing automatically, so why there is so much noise about the latest update from WhatsApp that seems like the company has just reinvented communication encryption?
Published on April 07, 2016