Point-of-Sale Security Still a Big Problem

Recent major retail breaches and my own experience highlights that point of sale system security is still a big problem plus the current large-scale cyber attack that is underway now using the WannaCry worm, which is I am sure is only beginning. As there are too many aged computers, which are running old not updated running operating systems, which are wide open to attack to WannaCry.

So what are these hacker's prime targets in retail, well it will not be ransonware but EFTPOS. A Ransomware attack gets them say $500 US (hackers always work in US dollars) but here is a guesstimate of what a small shop will bring in for the hacker in EFTPOS.

A small shop doing say half a million a year in EFTpos, with say $50 an average transaction, say the hack lasts two months, and you could say 50% are repeats customers.

= $500,000 / $50 x 2 x 50%

= 10,000 accounts , now that estimate is probably a bit high.

But if say half of these credit cards are hit for $200 US each, which is very conservative that is $A2.7 million dollars which I think is a bit low overall.

Many retailers mistakenly believe that because MasterCard and Visa take responsibly for the debt, so they are okay for this sum. This however is not true. What happens in these situations is that banks, Visa, American Express, Mastercard and more will look into recovering their monies from the retailer unless the retailer has a very good excuse, and they will be asking for as well fines and legal costs. These costs are not trivial and in the US according to a study by Experian, although they do not say the cause, I am sure that much of the 60% of retailers that they reported closed down within six months after a data breach are for this reason.

As a result, we do look into our clients EFTPOS security and ask you to do so too.

Our recommended system is tyro. here are some function that we see, and we like.

Tyro was the first and only Australian EFTPOS provider who is successfully validated against the Payment Card Industry Data Security Standard (PCI-DSS).

The main unit used by them is a Yomani which we inspected a short time ago.

Now if you notice they are curved everywhere part on the reason for this is to prevent skimming hardware from being attached on top of this unit. Plus note that for the security of a cardholder’s PIN entered, and these PIN pads are protected with a unique key entry shield to increase privacy.

Plus tyro terminals are PCI-PTS compliant.

All cardholder data is encrypted on the Tyro terminal, and the hacker would need to have a lot of technical knowledge to get the data, as the EFTPOS data in this terminal never goes into your Point of Sale software from the EFTPOS unit, plus they have a system of tamper resistance built-in. In the event the unit detects any hardware tampering; they will refuse to perform any transactions. More likely depending upon the type of attack, the terminals if it picks it up will display one of the several messages, but generally give you something like this.

If this happens, the unit will no longer work and will need to be replaced.

Plus even if the retailer could get the data it is decrypted.

All of this is of course very good, but I still urge everyone to make sure their security is up to date.

Your windows should be current, at least now Windows 7. Your antivirus software should be up to date, note the free Microsoft product windows defender is quite good, if you want more there are several excellent antivirus software packages around, plus of course be careful.

If you want to know more, please let me know.