Multi-Unit Franchisee Magazine Issue I, 2015 | Page 76
Security BY BRAND BARNEY
How Safe Is Your
POS System – Really?
5 critical questions for your POS vendor
W
hile very skilled at installing systems, pointof-sale (POS) vendors
often don’t understand
security basics and likely won’t make your
security their main priority. Obviously, this
can lead to very poor organizational security.
After all, your POS system harbors some
of the most valuable information at your
organization: customer credit card data.
Before hiring someone to set up your
POS environment, there are five key questions you should ask. These questions are
designed to help you weed out ignorant
vendors that don’t have your security best
interests at heart.
1) Can I set my own user name and
password? If a vendor provides POS credentials and won’t let you change them,
that’s a serious red flag. It likely means
they’re using those same credentials at
every other client’s business too, also
known as “universal credentials.” Setting up universal credentials simplifies a
POS installer’s job: no need to rack his
brain for each client’s password when
performing routine system maintenance
(see point #2). He only needs to memorize one password! Unfortunately, this
insecure practice leaves your business
in danger. An installer really concerned
about your security should allow you to
choose your own password, and encourage you to follow industry best practices
(e.g., your password must be a minimum
of 8 characters long, have at least 4 special
characters, and 2 numbers).
2) How often do you conduct routine maintenance? A POS vendor’s job
isn’t just to install software/hardware and
disappear from your life forever. The
vendor should be constantly maintaining those systems by installing updates
on both applicable operating systems and
POS software. One great question to ask
is, “Are all critical security patches installed
74
within one month of release?” I understand that keeping your system patched
with the latest and greatest security isn’t
always fun, but it will help protect you
from a data breach and is absolutely worth
the time it takes to ensure your vendor is
staying on top of it.
3) Do you use unique remote access
credentials for each POS system? If your
POS vendor uses the same credentials to
access your store as they use for others, their
breach might soon become your breach.
An attacker who discovers a vendor’s remote access password now has ready-made
These questions
are designed to
help you weed
out ignorant
vendors that
don’t have your
security best
interests at heart.
credentials to get into any other system
using the same credentials—including
yours. Ensure your vendor uses unique
credentials to access your environment.
You should also ask how long your
vendor needs the remote access connection to your systems. It is not uncommon
for a vendor to gain access remotely and
then never disconnect. This is a very poor
security practice and should be prohibited.
Keep your vendor’s access to a minimum
and monitor it regularly.
4) Do you maintain our anti-virus?
An anti-virus program keeps an eye on
your system. It’s pretty independent, but
when it finds a problem it requires human
direction. It will ask if you want to delete
the problem, ignore it, or quarantine it.
Until someone tells the anti-virus program
what to do with that problem, it will just sit
back and wait, which isn’t doing anybody
any good. That’s why regular scanning
maintenance is so important.
Your POS vendor may or may not
maintain your anti-virus scanning, but
this question isn’t a make-or-break deal.
It’s just important to know the responsible
party. If your vendor is not handling your
anti-virus, make sure you have an up-todate version, that it’s scanning regularly,
and that you have someone designated to
address what it finds.
5) Do you set up the POS system
as an application on my back-office
computer? Many POS vendors dump
POS system software onto the backoffice computer. What’s the problem
with that? Well, in addition to storing
sensitive POS information, you use that
computer to order uniforms, track payroll, browse Facebook, and email staff. As
we know, the Internet is full of malicious
links, software, and downloads ready to
compromise your business. If you accidentally click on one of those malicious
links, be prepared to kiss your customer
credit cards goodbye.
A good POS vendor recognizes the
importance of segmenting your POS environment. That means not allowing POS
software to reside on a system that can
browse the Internet. The best solution is
to set up two computers in your back office. On one, you conduct all your business
(ordering uniforms, etc.). The other is only
for your POS, properly segmented from
the other back-office server by a firewall.
Just remember: your security matters.
Choose a POS installer with the same
security-minded attitude and you’ll be
light years ahead of most of your peers…
not to mention keeping your data safe
from hackers.
Brand Barney, a security
analyst at SecurityMetrics,
has more than 10 years of
compliance, data security,
and database management
experience. Learn more
about SecurityMetric s by visiting www.securitymetrics.com.
MULTI-UNIT FRANCHISEE IS S UE I, 2015
muf1_c_security(74).indd 74
1/15/15 3:45 PM