According to Verizon’s recent Data Breach Investigative Report, the hospitality industry had the highest number of breaches among all the industry segments measured in both 2011 and 2012. Last year, it was edged out by retail—but the margin was very small.
POS systems have proven to be easy targets for organized criminal groups. Because of that, it’s important to institute preventive measures to avoid breaches. These steps will go a long way to improve POS security:
1. Restrict remote access. There was an increase in stolen vendor credentials in 2013. One of the biggest problems was the use of the same password for all organizations managed by the vendor. Limit any remote access into POS systems by third-party vendors to reduce this risk.
2. Maintain customer privacy. Full credit card numbers should never be stored in plain text. Ensure that your terminal is truncating card numbers and only showing the last four digits on receipts. Additionally, Visa and MasterCard regulations prohibit merchants from recording personal information on the sales receipt/draft. This information in conjunction with the account numbers listed on the sales draft could be used to commit fraud. Keep cardholder account and personal information separate and under tight security. It is extremely critical that CVV2 card validation numbers are neither written, recorded nor stored electronically nor manually under any circumstances. Also, credit card numbers or cardholder account information should never be transmitted via email or unsecured gateways.
3. Do not log PIN numbers. Although PINs are protected in an encrypted or enciphered form within a transaction message, they must not be retained in transaction journals or logs subsequent to PIN transaction processing.
4. Enforce strong password policies. Make absolutely certain that all passwords used for remote access to POS systems are not factory defaults, the names of your POS vendor, dictionary words or otherwise weak. If a third party handles this, require and verify that this is done. Make sure they are not using the same password for other customers.
5. Restrict personal use of your business equipment. Do not browse the web, email, use social media, play games or do anything other than POS-related activities on POS systems.
6. Make sure any online access to your reporting or POS management is always SSL protected. PCI requires adequate encryption of credit card holder information during transmittal and at least 128-bit encryption must be used. The primary reason SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords as well as and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.
If more restaurants start taking these actions, the industry should be a little less vulnerable. Regardless of the statistics, what’s important is that you’re not one of them.
Jared Isaacman is c.e.o. of Harbortouch, a leading supplier of POS systems and payment processing services.