Multi-Unit Franchisee Magazine Issue I, 2015

Security BY BRAND BARNEY How Safe Is Your POS System – Really? 5 critical questions for your POS vendor W hile very skilled at installing systems, pointof-sale (POS) vendors often don’t understand security basics and likely won’t make your security their main priority. Obviously, this can lead to very poor organizational security. After all, your POS system harbors some of the most valuable information at your organization: customer credit card data. Before hiring someone to set up your POS environment, there are five key questions you should ask. These questions are designed to help you weed out ignorant vendors that don’t have your security best interests at heart. 1) Can I set my own user name and password? If a vendor provides POS credentials and won’t let you change them, that’s a serious red flag. It likely means they’re using those same credentials at every other client’s business too, also known as “universal credentials.” Setting up universal credentials simplifies a POS installer’s job: no need to rack his brain for each client’s password when performing routine system maintenance (see point #2). He only needs to memorize one password! Unfortunately, this insecure practice leaves your business in danger. An installer really concerned about your security should allow you to choose your own password, and encourage you to follow industry best practices (e.g., your password must be a minimum of 8 characters long, have at least 4 special characters, and 2 numbers). 2) How often do you conduct routine maintenance? A POS vendor’s job isn’t just to install software/hardware and disappear from your life forever. The vendor should be constantly maintaining those systems by installing updates on both applicable operating systems and POS software. One great question to ask is, “Are all critical security patches installed 74 within one month of release?” I understand that keeping your system patched with the latest and greatest security isn’t always fun, but it will help protect you from a data breach and is absolutely worth the time it takes to ensure your vendor is staying on top of it. 3) Do you use unique remote access credentials for each POS system? If your POS vendor uses the same credentials to access your store as they use for others, their breach might soon become your breach. An attacker who discovers a vendor’s remote access password now has ready-made These questions are designed to help you weed out ignorant vendors that don’t have your security best interests at heart. credentials to get into any other system using the same credentials—including yours. Ensure your vendor uses unique credentials to access your environment. You should also ask how long your vendor needs the remote access connection to your systems. It is not uncommon for a vendor to gain access remotely and then never disconnect. This is a very poor security practice and should be prohibited. Keep your vendor’s access to a minimum and monitor it regularly. 4) Do you maintain our anti-virus? An anti-virus program keeps an eye on your system. It’s pretty independent, but when it finds a problem it requires human direction. It will ask if you want to delete the problem, ignore it, or quarantine it. Until someone tells the anti-virus program what to do with that problem, it will just sit back and wait, which isn’t doing anybody any good. That’s why regular scanning maintenance is so important. Your POS vendor may or may not maintain your anti-virus scanning, but this question isn’t a make-or-break deal. It’s just important to know the responsible party. If your vendor is not handling your anti-virus, make sure you have an up-todate version, that it’s scanning regularly, and that you have someone designated to address what it finds. 5) Do you set up the POS system as an application on my back-office computer? Many POS vendors dump POS system software onto the backoffice computer. What’s the problem with that? Well, in addition to storing sensitive POS information, you use that computer to order uniforms, track payroll, browse Facebook, and email staff. As we know, the Internet is full of malicious links, software, and downloads ready to compromise your business. If you accidentally click on one of those malicious links, be prepared to kiss your customer credit cards goodbye. A good POS vendor recognizes the importance of segmenting your POS environment. That means not allowing POS software to reside on a system that can browse the Internet. The best solution is to set up two computers in your back office. On one, you conduct all your business (ordering uniforms, etc.). The other is only for your POS, properly segmented from the other back-office server by a firewall. Just remember: your security matters. Choose a POS installer with the same security-minded attitude and you’ll be light years ahead of most of your peers… not to mention keeping your data safe from hackers. Brand Barney, a security analyst at SecurityMetrics, has more than 10 years of compliance, data security, and database management experience. Learn more about SecurityMetric s by visiting www.securitymetrics.com. MULTI-UNIT FRANCHISEE IS S UE I, 2015 muf1_c_security(74).indd 74 1/15/15 3:45 PM

Multi-Unit Franchisee Magazine Issue I, 2015 | Page 76