Tackling the microwave nation mentality.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
As a microwave nation, we have a very plug-and-play mentality when it comes to electronics and devices. When my morning coffee takes longer than 60 seconds, I’m snapping my fingers, checking my watch, and rolling my eyes. In our minds, faster is better.

In a similar way, the microwave mindset is ruining Point-of-Sale (POS) security. From manufacturers to salesmen to implementation, the security process is broken.

Manufacturers

When a new POS system is created, manufacturers and developers go through a delicate balancing act. The object is to get a product out as fast as possible. The problem is, security infringes upon go-to-market time. The more security aspects they implement, the more competitors beat them to the punch. Unfortunately, this can be applied to just about every industry.

My point? Many manufacturers don’t take the time to ensure their products are secure before they slap the “100% PCI Compliant” sticker on it.

Salesmen

POS manufacturers are great marketers. “This POS system is secure!” or “Guaranteed compliant!” are great ways to differentiate from the competition...but often aren’t necessarily true.

Merchant implementation

The faster a merchant can enjoy the benefits of a new POS system, the more money he makes. The less time he has to spend fiddling around with settings, the more he can spend making pizzas, or shining shoes, or developing software for his business.
Merchants are told by manufacturers, salesmen, and installers that the system is safe, so they plug it right in to their environment without a second thought. On occasion, POS systems aren’t properly configured right out of the box, which can lead to devastating POS malware being uploaded onto the POS device. Additionally, the POS device itself may be missing crucial patches.

So how does a business compensate for not-so-secure POS systems?
Here are three important questions to consider before installing a point-of-sale-system in your cardholder data environment.

1) Are all vendor-supplied security patches installed?

It doesn’t take long for a POS system to become ‘old.’ Here’s what I mean. Every second after a released update isn’t installed, the system falls further and further from security and non-compliance.

Chances are if you’re running an old POS system in your environment, it’s riddled with weaknesses. Maybe you missed a few security patches along the way. Or maybe it’s no longer supported by the manufacturer.

Even if you bought and installed a new POS system every week (a ridiculous notion, I know), your security wouldn’t be foolproof. Technology increases so rapidly, that by the time you got the brand new system home or to your business, a new update may be waiting to be installed.

SEE ALSO: Shellshock: Be Wary, But Don't Panic

That’s why updates are so important to maintaining point-of-sale security. I recommend going to the POS manufacturers website to discover the most recent patches and updates for your device…right after you read the rest of this post of course.

2) Has your environment been tested for vulnerabilities?

If you dip a marshmallow in a pot of melted chocolate, what color is it when you pull it out? Brown. It’s unlikely any amount of licking will get it back to pure white.

Just like my marshmallow example, a squeaky-clean POS system can become immediately infected if placed in an insecure environment.


That’s why your payment processing environment must be regularly tested for vulnerabilities, both internally and externally. Not only should you scan your environment every quarter, but you should scan before and after ANY changes are made including installing a new POS system.

Some business owners, POS installers, and even IT experts think, “We have a quarterly test coming up in 2 months, let’s worry about scanning then.” Or, “We just ran a vulnerability scan yesterday, I’m sure our system is fine.”

WRONG!

Hackers search for the smallest of holes to squeeze into a business environment. Weaknesses are discovered every minute. Resolving the issues you find in your vulnerability scan immediately prior to installing any new technology will save you a lot of heartache in the long run and may save you from a business crippling data breach.

3) Whose responsibility is POS security? The manufacturer, the installer, your IT guy, or the merchant?

Many merchants believe security is being dealt with by someone else and thereby means it’s not their problem. This is wrong. It is always the merchant’s responsibility to make sure a POS system is secure, fully patched, and devoid of known vulnerabilities. That means it’s also the merchant’s responsibility to pay for any breaches that result from an insecure POS system.

No matter how pushy he is, don’t let your IT guy or POS installer talk you out of testing your systems before going live. Even if he’s someone you trust. Remember, you’re ultimately the one liable if something goes wrong.

If your IT guy balks at all the security precautions (testing, updating, vulnerability scanning, remediating vulnerabilities, etc.) remind him that you require rigorous testing of all systems prior to production, no matter the device or system.

Remember the story of the tortoise and the hare? Slow and steady wins the race. Stop racing to a breach and start walking to security.

SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches

SOS

If you need help with POS configuration, vulnerability scanning, installing security patches, (anything!) PLEASE ask for help. Contact your POS vendor, PCI vendor, or your QSA who will be happy to help you secure not only your POS environment, but the rest of your systems as well.

What other security questions do you have?

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.