One software company, I know well has recently released a statement that because they do not hold credit card numbers in their software that their clients have tranquillity about their customer credit card details and fraud. Well, it might get them off the hook if a potential court case starts, but it is certainly not the *whole* truth.
Firstly let's start off by saying that such data breaches are extremely serious as I wrote here of a study by Experian, showed that 60% of small to medium business closed down within six months after such a data breach. Much of this, I think must be because the banks, MasterCard and Visa looking into recovering their monies go for the retailer and then there are fines and legal costs too.
Now what is happening is a relatively new class of viruses called PoS RAM Scraper Malware has been created by hackers to specifically target retail shops and its huge. The reason why retail shops are simple, there is a lot of credit card details going through the POS system.
Here is a map of PunkeyPOS found by a well-known antivirus company in June this year. What it shows is the places where they found it.
You can read more details here on what they found here.
What can be done?
You may want to have a chat with your credit card provider however here are some tips, I would recommend.
1) Be careful where you and your staff go on the net. If you must go to these sites, use a computer that is not on your POS system.
2) Make sure you have a virus protector that is maintained. Let me warn you here that there is no best antivirus out there, they all have pluses and minuses. Note the window defender in windows 10, I think is very good and its free to all businesses.
3) Update your windows software with the latest patches.
4) A firewall would be good. I would recommend setting up your firewall on the machine that does EFTPOS to stop access to almost all the net. The other advantage to doing this is that your employees will surf less on your time. I think the free Windows firewall is good. Fairly easy to use. It passes all inbound tests (both stealth and open port) and does not have any popup alerts which can be a real pain. Also, it is not likely to conflict with your other programs. Plus most techs know it.
If all of this does not work at least you can have a good argument in court that you did try your best.
