Keeping your customers — and your business — safe
Technology BY TOM EPSTEIN
POS Security
Keeping your customers — and your business — safe
You ’ d have to be living in a cave in the Himalayas with no Internet to not know about all the data hacks going on in the world today . So why is it that with all the advances in technology and security software that bad people can still gain access to your data ?
At FPN , we are most concerned with the ability for others to gain access to your customer data through your POS system . Recently , we had Visa tell us that there may have been an event at one of our customer ’ s franchise locations in Florida . Visa did not specify the exact way the hacker got in , only that they wanted the customer to immediately stop using their POS system for payments . Needless to say , not taking payments from customers is not an option for any business that wants to stay in business .
Until the customer figured out what had happened , the safest advice we could give them for running credit card transactions was to send them a standalone credit card terminal that communicated only through a phone line . Remember those ? Black cord attached to an old heavy phone that sits on a desk somewhere .
Really ? A phone line was safer ? What about EMV chips , wireless routers , firewalls , and anything else you can think of to insert here ?
We all know at this point that every year , to validate your PCI security , you must take that Self-Assessment Questionnaire ( SAQ ) everyone hates ; and if you use the Internet to process transactions ( which almost everyone does now ) you must do network scans a minimum of once per quarter . Let ’ s take a look at what we are seeing with the franchisees who process with us and who — even though they may be doing all those things — are still not quite compliant and remain vulnerable .
All versions of the SAQ ( there are several depending on how you process ) ask : Are you running your POS system on the most up-to-date software available ? You must answer “ Yes ” to pass the SAQ , so you do . ( Please note : Answering yes does not make you compliant !) It might
Just because we all enjoy advances in technology and security does not mean we can abandon common sense .
make you feel better , but you really must look at this . We are still seeing many franchisees running their POS system on older versions of Microsoft that are no longer supported by the POS providers . Typically , if you are on XP or older , your POS provider cannot install the necessary security patches — which makes you non-compliant .
We also see many franchisees still running older versions of their POS software . Many feel the old version still works , so why spend the money on an upgrade ? Because if you don ’ t and get hacked , your POS partner will not accept any responsibility . You will be on your own .
Another POS issue we are seeing : Your POS software is 100 percent up to date and your hardware is running the latest version of software , but you need to have
your POS company “ remote in ” to figure out an issue . If your POS company does this with screen-sharing software , they are opening a channel into your POS . While it is certainly acceptable for them to do that for short periods , you must uninstall this software once the service has been completed , since that channel may still be there and someone else might find it .
Also , if you ’ re using remote access this way on a regular basis to see what ’ s going on in your stores when you ’ re not there , you should stop . Your routers at the store and your POS may be 100 percent secure , but what about at home or on the road when you log in from your phone or computer ? Do you have the same security protocols there ? I doubt it .
The other big issue we see is with security cameras . Many franchisees today like to set up a security camera to watch employees remotely while they are out of the store . How do you think you are getting that video feed on your phone ? It ’ s coming from an open port on your router . If you have an open port , that means other people can use it to either snoop through your POS system or implant malware or a virus . Let ’ s say you ’ ve already figured that out and put the security camera on a separate router , or maybe you have a very secure firewall preventing data from moving between ports . Where are you most likely pointing the camera ? Right , at the register — the exact place where card numbers can be viewed . Even if your camera is on its own router it could be compromised , allowing a hacker to see card numbers as they are accepted behind the counter .
The moral of the story : Just because we all enjoy advances in technology and security does not mean we can abandon common sense . We must rely on what we already know and make sure that we continue to train and teach our people the security basics .
Tom Epstein is CEO and founder of Franchise Payments Network , an electronic payments processing company dedicated to helping franchisors and their franchisees improve system performance , increase revenue , and reduce expenses . Contact him at tomepstein @ franchisepayments . net or 866-420-4613 x1103 .
68 MULTI-UNIT FRANCHISEE ISSUE II , 2017