Why You Need Security Audit for Your Point-­of-­Sale (POS) System

The majority of the POS system are not stand-alone systems. They integrate with other systems such as CRM, finance, warehousing, inventory management, or data backups to provide a complex service to end-users like retailers, hotels, restaurants, and hospitality service providers.

It’s clear that POS systems are a source of important and valuable data, and have the power to either speed up the progress or to stop the development of a company, depending on whether or not they are used. POS data is a business asset.

Despite this vital importance, such an asset is not afforded the protection it deserves.

Threats from POS systems

Data leakage: Assets are targets for threats. In the case of POS systems, we are talking about data leakage which directly endangers the business through both regulatory fines e.g. new upcoming EU regulation regarding General Data Protection – GDPR and from the loss of the reputation.

Data theft: Another threat is the accidental modification of data by accident, or data being deliberately changed by a malicious third party. Data alteration or data loss results in you making the wrong business decisions, leading to the loss of your position in the market. In general, any data theft or data alteration leads to a potential competitive disadvantage, and gives your competitors the upper hand. Dysfunction of the POS system or the inability to gather POS data is similar to data loss.

POS system vulnerabilities

Software bugs: A POS system is a complex piece of software - and all software is liable to suffer from bugs. Updates and patches are a real must, to ensure that your POS systems are up to date and running as they should- but relatively few people bother to take the time to perform these updates.

Long life cycle: Another threat is related to the long lifecycle of the POS system. Because of the single-purpose of the POS system, it is not necessary to replace it with a newer model. Old models are used for years. Update of the software contains the newer parts (e.g. electronic evidence of payments support), but the core of the system remain the same. It's not far ago when the ATM machines were equipped by Windows XP – 15 years old operating system.

Public network: POS systems is still connected to the data network, and are usually placed in a public area. This enables unauthorized direct access to the POS system (e.g. from the cleaning company employees), or remote access via the data network. Remote POS data access or data eavesdropping during communications is difficult to detect. Unfortunately, the connection of the POS system is required in order to keep all data accurate and up to date.

All mentioned vulnerabilities are permanent problems.

How big is the risk?

The level of the risk related to the threats varies case by case. Determining the risk is often difficult, even for large enterprises with experienced employees in their risk department.

What we do know, though, is that GDPR may impose fines from 2 % to 4 % of global company turnover. Reputation loss affects company value. Loss of the position, data theft, data loss, and data modification affect sales ability. To make a quick estimate, such risks can account for a 2% loss to your company’s value and a 2% revenue decrease.

We’re using three companies of different sizes to illustrate the impact of fines:

Company Number/Type Size A big-size retail company A medium-size retail company
Company value 1 billion EUR 40 million EUR
Annual revenue 100 million EUR 4 million EUR
Annual company turnover 100 million EUR 4 million EUR
A single data leak price is up to 26 million EUR 1 million EUR

How can you mitigate risks?

Avoid the risk: One way is to avoid risk by not processing any sensitive data - however, this is clearly impossible for POS systems.

Transfer the risk: This is difficult too, though, because where and to whom do you transfer the risk?

Accepting the risk is another approach, but that means the following:

  • You hope that hackers spare your POS systems and your business.
  • You accept whatever legal fines may come from a data breach.
  • You lose your customers and damage your company’s reputation.

The only approach that works is to reduce the risk:

To effectively reduce the risk related to the unauthorized data manipulation, it best to perform an in-depth inspection of systems which deal with sensitive data. The inspection has to be done from the architecture point of view (to reveal the critical and the most unprotected parts which represent major vulnerabilities), and from the source code perspective (to reveal mistakes in the application logic and the sensitive operations like authentication and authorization). The result of the inspection is a set of recommendations on how to harden the whole system surrounding sensitive data. After the fixes have been carried out, it’s time to perform a penetration test to prove that all fixes were done properly.

It is important to say, that a security audit is not a fight between developers and auditors. Instead, it is a cooperation to produce better result, better application, and better ecosystem. To reduce the risk and to protect company assets from getting stolen or misused, it is better to be a step ahead of hackers by timely inspection than be an entry in the breach list e.g. on https://haveibeenpwned.com.

Learn how we help O2 build and operate a large fleet of point-of-sale systems securely and reliably. Their POS solution is current the fastest selling and most used in the Czech PoS market.

If you’d like to get a true assessment of the security of your POS system and its backend, ask us about our Security Audit. Alternatively, see our POS system management solution to know how we can help you build and operate your POS system in a secure and reliable manner.

About the Author

Jiri Kohout

TeskaLabs’ VP of Application Security, Jiri Kohout, brings years of experience in ICT security, having served as the Chief Information Security Officer for the Ministry of Justice and Chief Information Officer for Prague Municipal Court. He cooperated with the Czech National Security Agency to prepare the Czech Republic cyber security law.

You Might Be Interested in Reading These Articles

The TalkTalk Hack: What You Need to Know

TalkTalk, one of the largest providers of broadband and phone service in the UK, has recently admitted to being the victim of a large cyberattack. For those in the United States or in another country where TalkTalk’s influence isn’t as widespread, it could be considered on the same level as a Verizon or an AT&T data breach.

Continue reading ...


Published on November 10, 2015

Custom Made vs. Off-The-Shelf Mobile Apps – The Issue of Security

In October 2015, Blakely Thomas-Aguilar did a great article on mobile security statistics on the VMware AirWatch blog that can and will send shivers down your spine. For example, she found that there was an increase of 18% in the number of Android vulnerabilities between 2011 and 2015.

Continue reading ...

mobile security

Published on July 26, 2016

SQL Injection - Are Developers to Blame for Data Security Breaches?

Of course, this is a bold statement, but for those who deal with security issues from mobile applications, they can pinpoint where the flaw occurred with developers not taking security into account when developing mobile apps. Security takes the back seat to app functionality and remains as second thought.

Continue reading ...

security development

Published on March 07, 2015