Why You Need Security Audit for Your Point-­of-­Sale (POS) System

The majority of the POS system are not stand-alone systems. They integrate with other systems such as CRM, finance, warehousing, inventory management, or data backups to provide a complex service to end-users like retailers, hotels, restaurants, and hospitality service providers.

It’s clear that POS systems are a source of important and valuable data, and have the power to either speed up the progress or to stop the development of a company, depending on whether or not they are used. POS data is a business asset.

Despite this vital importance, such an asset is not afforded the protection it deserves.

Threats from POS systems

Data leakage: Assets are targets for threats. In the case of POS systems, we are talking about data leakage which directly endangers the business through both regulatory fines e.g. new upcoming EU regulation regarding General Data Protection – GDPR and from the loss of the reputation.

Data theft: Another threat is the accidental modification of data by accident, or data being deliberately changed by a malicious third party. Data alteration or data loss results in you making the wrong business decisions, leading to the loss of your position in the market. In general, any data theft or data alteration leads to a potential competitive disadvantage, and gives your competitors the upper hand. Dysfunction of the POS system or the inability to gather POS data is similar to data loss.

POS system vulnerabilities

Software bugs: A POS system is a complex piece of software - and all software is liable to suffer from bugs. Updates and patches are a real must, to ensure that your POS systems are up to date and running as they should- but relatively few people bother to take the time to perform these updates.

Long life cycle: Another threat is related to the long lifecycle of the POS system. Because of the single-purpose of the POS system, it is not necessary to replace it with a newer model. Old models are used for years. Update of the software contains the newer parts (e.g. electronic evidence of payments support), but the core of the system remain the same. It's not far ago when the ATM machines were equipped by Windows XP – 15 years old operating system.

Public network: POS systems is still connected to the data network, and are usually placed in a public area. This enables unauthorized direct access to the POS system (e.g. from the cleaning company employees), or remote access via the data network. Remote POS data access or data eavesdropping during communications is difficult to detect. Unfortunately, the connection of the POS system is required in order to keep all data accurate and up to date.

All mentioned vulnerabilities are permanent problems.

How big is the risk?

The level of the risk related to the threats varies case by case. Determining the risk is often difficult, even for large enterprises with experienced employees in their risk department.

What we do know, though, is that GDPR may impose fines from 2 % to 4 % of global company turnover. Reputation loss affects company value. Loss of the position, data theft, data loss, and data modification affect sales ability. To make a quick estimate, such risks can account for a 2% loss to your company’s value and a 2% revenue decrease.

We’re using three companies of different sizes to illustrate the impact of fines:

How can you mitigate risks?

Avoid the risk: One way is to avoid risk by not processing any sensitive data - however, this is clearly impossible for POS systems.

Transfer the risk: This is difficult too, though, because where and to whom do you transfer the risk?

Accepting the risk is another approach, but that means the following:

• You hope that hackers spare your POS systems and your business.
• You accept whatever legal fines may come from a data breach.
• You lose your customers and damage your company’s reputation.

The only approach that works is to reduce the risk:

To effectively reduce the risk related to the unauthorized data manipulation, it best to perform an in-depth inspection of systems which deal with sensitive data. The inspection has to be done from the architecture point of view (to reveal the critical and the most unprotected parts which represent major vulnerabilities), and from the source code perspective (to reveal mistakes in the application logic and the sensitive operations like authentication and authorization). The result of the inspection is a set of recommendations on how to harden the whole system surrounding sensitive data. After the fixes have been carried out, it’s time to perform a penetration test to prove that all fixes were done properly.

It is important to say, that a security audit is not a fight between developers and auditors. Instead, it is a cooperation to produce better result, better application, and better ecosystem. To reduce the risk and to protect company assets from getting stolen or misused, it is better to be a step ahead of hackers by timely inspection than be an entry in the breach list e.g. on https://haveibeenpwned.com.

Learn how we help O2 build and operate a large fleet of point-of-sale systems securely and reliably. Their POS solution is current the fastest selling and most used in the Czech PoS market.

If you’d like to get a true assessment of the security of your POS system and its backend, ask us about our Security Audit. Alternatively, see our POS system management solution to know how we can help you build and operate your POS system in a secure and reliable manner.

About the Author

Jiri Kohout

TeskaLabs’ VP of Application Security, Jiri Kohout, brings years of experience in ICT security, having served as the Chief Information Security Officer for the Ministry of Justice and Chief Information Officer for Prague Municipal Court. He cooperated with the Czech National Security Agency to prepare the Czech Republic cyber security law.