Insights

Encora shares perspectives on emerging insights, challenges, and trends across the industries in which we work

The Security Vulnerabilities of PoS Systems and How to Address Them

Encora | July 16, 2020

Point-of-Sale (PoS) systems are rapidly becoming the technology of choice for retail businesses as an all-in-one solution. Be it inventory information, stock handling, sharing customer data across stores, or managing business expenses, PoS systems have proven to be effective in providing a robust digital database for the retail sector. PoS systems have gained preference over cash for their ease of use, greater accuracy, detailed receipts, and error-free checkouts. However, the rapid growth of PoS transactions across the retail industry also raises some security concerns.


How Safe is the Payment Process over PoS?

According to the recent statistics, there are multiple attacks on PoS systems every minute in retail outlets, restaurants, and hospitality industries. With more technologies being used to process sales, there is a significant rise in threats like cyber-attacks and data thefts. Reported data breaches are growing drastically every year. However, several fraud detection breakthroughs in technologies have reduced the risks involved in using cards over PoS terminals.

 

What actually happens when you use your card to pay at a restaurant or supermarket?

When your card is swiped at the card reader, it captures the card data and transfers the information to the PoS terminal. The PoS terminal then encrypts the data and sends it to the retail server. The retail server decrypts the data, briefly exposing it, and further re-encrypts it to transmit to the payment gateway. Once at the gateway, the card information is re-decrypted and sent to the bank for processing.

Through the entire payment process, data is exposed several times, thereby making it vulnerable to cyber-crimes like hacking.

The Security Vulnerabilities of PoS Systems and How to Address Them 1

Hackers usually get credit card information by installing automated malware. This malware infiltrates networks, systems, and workstations, looking for unencrypted cardholder data. This data is, then, sold on the dark web.

 

So how can customers safeguard information?

 

Point-to-Point Encryption (P2PE) is regarded as one of the most standard payment security solutions, which instantly converts the confidential payment card data into indecipherable code, the moment the card is swiped at any PoS terminal. P2PE solutions minimize fraud and the potential invasion of malicious activities like hacking.

Encryption does not itself prevent interference, but denies access of the intelligible content to a would-be interceptor. Using encryption for card payments alters the payment card data into an indecipherable format and renders it unusable by hackers and cyberpunks, as they have no means to invert the data back to its original form. The PCI-validated P2PE solutions provide not only P2P encryption, but also validated hardware, software, and solution provider processes and environment. Hence, one of the most secure ways to safeguard the valuable cardholder data in PoS systems is the PCI (Payment Card Industry) validated P2PE solutions.

Let’s look at how the P2PE works in a PoS system.

The Security Vulnerabilities of PoS Systems and How to Address Them 2

When you swipe your card on a P2PE secure PoS system, the devices or readers used are already integrated and PCI-compliant, which means they all have a key in them even before the merchant can see it. When the card information is swiped through these peripherals, it is encrypted immediately. Therefore, P2PE protects payment card data from the point of capture until the secure decryption endpoint. The card information remains in the encrypted form as it is transmitted to the point of sale terminal, then to the retail server, and further to the payment gateway. This one-time key is highly secure and is destroyed after every use. The decryption keys are stored in a Hardware Security Module (HSM) at the payment gateway. Once the data is decrypted at the payment gateway, it is sent to the acquirer for approval.

 

Are PoS Systems Completely Secure?

While the attacks against PoS systems are decreasing, it does not mean they will completely disappear. Cybercriminals will continue to target vulnerable and compromised PoS systems as long as there is a market for stolen credit cards. However, with the retailers switching over to secure EMV (Europay Mastercard and Visa) cards, P2PE and tokenization, scam activities have dropped considerably.

An all-inclusive payment security solutions, including encryption, have become mandatory for businesses to avoid data breaches and secure transactions. Some of the PoS security practices include the exclusive use of PCI-compliant devices, constant surveillance of physical devices to prevent tampering of wires, placing hidden cameras, and avoiding the connection of PoS to any external networks. While data breach risks are still real, security technologies are changing rapidly to protect card holders at PoS systems.

Are you ready to accelerate your path to security? Encora can help! Let’s talk.

 

Insight Content

Featured Insights