All merchants should review the security of their point-of-sale (POS) card payment systems on a regular basis.
Attackers have recognized that POS systems are a good target because they are a regular point of processing valuable credit card information, and because they are sometimes less secure than typical computer systems.
So, what can a retailer do to reduce its susceptibility to POS-based malware? Work with your POS system vendor to ensure you are running the most current POS terminal operating software version and that it is up-to-date with patches. Include provisions in your vendor contracts that obligate the POS vendor to test and validate operating system patches promptly. Make sure the version of POS software in use in your environment has been certified to the Payment Application Data Security Standard (PA-DSS) and that you have configured it as specified in the PA-DSS implementation guide. That certification is one element of complying with the requirements of the Payment Card Industry, known as PCI, and can help reduce the likelihood of compromised credit card data. Use multiple layers of malware protection, including protection installed on the POS terminal itself, if possible. Malware protection also should be installed at network "chokepoints," such as the point at which your network touches the Internet, on all workstations and servers and in network intrusion detection devices. Ensure that all default passwords on network and POS devices have been changed. If possible, use network segmentation to restrict access to the POS devices on your network, and test the effectiveness of your segmentation via regular penetration testing, making adjustments as necessary based on the results of the testing. Use different (and unique) usernames and passwords for performing maintenance in the POS environment than those used in other portions of the network. Use file integrity monitoring software to monitor changes to critical system files on POS devices and configure automated alerts to notify IT personnel when changes occur so they can be investigated. Train personnel to be vigilant regarding phishing scams as they are a common vector of entry for malware. Originally posted on Nashville Business Journal