Multi-Unit Franchisee Magazine Issue II, 2017 - Page 70

Technology BY TOM EPSTEIN POS Security Keeping your customers—and your business—safe Y ou’d have to be living in a cave in the Himalayas with no In- ternet to not know about all the data hacks going on in the world today. So why is it that with all the advances in technology and security soft- ware that bad people can still gain access to your data? At FPN, we are most concerned with the ability for others to gain access to your customer data through your POS system. Recently, we had Visa tell us that there may have been an event at one of our cus- tomer’s franchise locations in Florida. Visa did not specify the exact way the hacker got in, only that they wanted the customer to immediately stop using their POS system for payments. Needless to say, not taking payments from customers is not an option for any business that wants to stay in business. Until the customer figured out what had happened, the safest advice we could give them for running credit card transactions was to send them a standalone credit card terminal that communicated only through a phone line. Remember those? Black cord attached to an old heavy phone that sits on a desk somewhere. Really? A phone line was safer? What about EMV chips, wireless routers, fire- walls, and anything else you can think of to insert here? We all know at this point that every year, to validate your PCI security, you must take that Self-Assessment Question- naire (SAQ) everyone hates; and if you use the Internet to process transactions (which almost everyone does now) you must do network scans a minimum of once per quarter. Let’s take a look at what we are seeing with the franchisees who process with us and who—even though they may be doing all those things—are still not quite compliant and remain vulnerable. All versions of the SAQ (there are several depending on how you process) ask: Are you running your POS system on the most up-to-date software available? You must answer “Yes” to pass the SAQ, so you do. (Please note: Answering yes does not make you compliant!) It might 68 MULTI-UNIT FRANCHISEE I SS UE II , 2 01 7 Just because we all enjoy advances in technology and security does not mean we can abandon common sense. make you feel better, but you really must look at this. We are still seeing many franchisees running their POS system on older versions of Microsoft that are no longer supported by the POS providers. Typically, if you are on XP or older, your POS provider cannot install the neces- sary security patches—which makes you non-compliant. We also see many franchisees still run- ning older versions of their POS software. Many feel the old version still works, so why spend the money on an upgrade? Because if you don’t and get hacked, your POS partner will not accept any respon- sibility. You will be on your own. Another POS issue we are seeing: Your POS software is 100 percent up to date and your hardware is running the latest version of software, but you need to have your POS company “remote in” to figure out an issue. If your POS company does this with screen-sharing software, they are opening a channel into your POS. While it is certainly acceptable for them to do that for short periods, you must uninstall this software once the service has been completed, since that channel may still be there and someone else might find it. Also, if you’re using remote access this way on a regular basis to see what’s going on in your stores when you’re not there, you should stop. Your routers at the store and your POS may be 100 percent secure, but what about at home or on the road when you log in from your phone or computer? Do you have the same security protocols there? I doubt it. The other big issue we see is with security cameras. Many franchisees to- day like to set up a security camera to watch employees remotely while they are out of the store. How do you think you are getting that video feed on your phone? It’s coming from an open port on your router. If you have an open port, that means other people can use it to either snoop through your POS system or implant malware or a virus. Let’s say you’ve already figured that out and put the security camera on a separate router, or maybe you have a very secure firewall preventing data from moving between ports. Where are you most likely pointing the camera? Right, at the register—the exact place where card numbers can be viewed. Even if your camera is on its own router it could be compromised, allowing a hacker to see card numbers as they are accepted behind the counter. The [ܘ[وHܞN\X]\BH[[HY[\[XH[X\]H\YX[H[X[ۂ[[ۈ[KH]\[Hۈ]H[XYHۛ[XZH\H]B۝[YHZ[[XX\[BHX\]H\X˂H\Z[\S[[\و[\H^[Y[“]ܚ[[XۚX^KBY[\[\[BYX]Y[[[KBܜ[Z\[\Y\[KBݙH\[H\ܛX[K[ܙX\H][YK[YXH^[\ˈ۝X[H]Y\Z[[\\^[Y[˛]܂ M M L LL