Here's how businesses can prevent point-of-sale attacks

Here's how businesses can prevent point-of-sale attacks

Point-of-sale malware has been targeting retailers to steal credit card data

Retailers, hotels and restaurants have all been victimized through the same Achilles' heel that cybercriminals continue to attack: the point-of-sale system, where customers' payment data is routinely processed.  

These digital cash registers are often the target of malware designed to steal credit card numbers in the thousands or even millions. This year, fast food vendor Wendy's, clothing retailer Eddie Bauer and Kimpton Hotels have all reported data breaches stemming from such attacks.

Security experts, however, are encouraging a variety of approaches to keep businesses secure from point-of-sale-related intrusions. Here are a few to consider:


Point-of-sale malware can strike in a number ways. Often, it can involve hackers spreading malicious code by breaching the remote access services designed to maintain the payment processing systems, said John Christly, CISO of Netsurion, a security provider.

These remote access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of point-of-sale machines. It also doesn't help that the malware can be tricky to detect, Christly added. Sometimes, it can sneak past antivirus programs, and then stealthily extract payment data, despite the presence of traditional firewalls.

"Then it can send out the stolen data slowly, making it look like normal traffic," Christly said. "A few months will go by, and who knows how many credit cards will have been breached."

Businesses that provide remote access to their point of sale system can consider installing two-factor authentication, to avoid relying only on password logins, Christly said. But to ensure better detection of all possible threats, he advocates that businesses go beyond basic antivirus and firewalls and use tools that can monitor for any unusual activity on the actual point-of-sale machines.

"You have to watch every computer to make sure nothing has changed," Christly said. "Whether that computer is active during the night and communicating data, or if the files are being changed."

These tools have been generally marketed to big brand retailers, but Netsurion said it's been offering them at a low cost to small and medium-size businesses.


Although hackers continue to develop ever-craftier point-of-sale malware, the most resilient malicious coding becomes useless if all it steals is encrypted data, said George Rice, a senior director of payments at Hewlett Packard Enterprise Security.

Typically, point-of-sale malware works by reading payment data the moment the card is swiped through the retail checkout machine. It does this by scraping the RAM memory of the point-of-sale terminal, where the payment data can be unencrypted.

"The malware techniques are evolving all the time," Rice said. Criminals also understand that retailers are continually updating their point-of-sale machines for pricing or inventory reasons. "So they (the hackers) are using a variety of vulnerabilities to insert the malware into the system," he added.

However, businesses are far less vulnerable to any data breach if they move to end-to-end encryption, according to Rice. That means encrypting the customer's data throughout the entire payment process, including the moment the credit card is swiped.

"This technique can help close any loopholes and vulnerabilities within the system," Rice said.

ingenico Ingenico

A countertop Ingencio checkout terminal.

Earlier this year, HPE Securty announced a partnership with Ingenico, a maker of payment checkout devices, on an end-to-end encryption product for businesses.

To better protect payment data, Hewlett Packard Enterprise Security also provides tokenization, a process of replacing the processed payment card data with digital placeholders, known as tokens. Both this and encryption can be used in combination to reduce the risk of data theft, Rice said.


Unfortunately, when businesses select the point-of-sale system they wish to buy, they rarely think of security, said Charles Henderson, the head of X-Force Red, a security testing team at IBM.

"Most companies assume when they buy a point-of-sale system, they're buying something secure," Henderson said. Buyers also tend to conflate security with a product's compliance to industry standards, but that's not always true, he added.

Henderson's team routinely tests point-of-sale systems to look for vulnerabilities. Often, his team finds them when the business assumed its system was secure because of its industry compliance.

In addition, many of these point-of-sale products are installed by third-party resellers that may not specialize in security. These factors can put businesses at risk, he said.

To prevent this problem, Henderson advises that businesses hire a security specialist to test that their point-of-sale system for any vulnerabilities. Most mainstream point-of-sale system products can be secured with the right implementation, he added. 

That testing also goes for security products. Although encryption and other malware-fighting tools can prevent data breaches in point-of-sale systems, they're practically useless if they aren't properly installed, Henderson said.

"They're not bullet proof. The devil is in the implementation," he said.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

What to expect from your IT Distributor

Whether you’re just starting out or you’ve been around since before the dot com rollercoaster, choosing the right distribution partner can be a pivotal factor in your success. This definitive guide outlines the traits that every IT partner needs to look for in their IT Distributor.



Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments