Payment Card Data Security At The Point-Of-Sale (POS)

As retail businesses adopt more omni-channel retailing methods such as e-commerce, m-commerce, social selling, and mobile payments, standard online and mobile payment frauds also pose a problem, exposing confidential information and credit card data of the customers. Hence, businesses and governments are under increased pressure to prioritize data security. To address such issues related to financial data theft and hacking, the Payment Card Industry Security Standards Council (PCI SSC) was formed on December 15, 2004, that released version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organizations to increase controls around cardholder data.

PCI DSS represents a minimum set of control objectives which may be enhanced by local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personally identifiable information or other data elements (for example, cardholder name), or define an entity’s disclosure practices related to consumer information. Examples include legislation related to consumer data protection, privacy, identity theft, or data security.

The Payment Application Data Security Standard (PA-DSS) is a subset of the PCI DSS.  The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. In order to ensure that all sensitive cardholder authentication data is secure, PCI requires merchants, banks, and all other parties that use a third-party application for processing payments to select one that meets the PA-DSS standard.

The following chart details what is required to be PCI DSS compliant (and therefore what a payment application must support to facilitate a customer’s PCI DSS compliance).

ETP Blog-credit-card-data-security-at-the-point-of-sale

The ETP Store Omni-channel POS solution is certified as PA-DSS v3.2 compliant by the PCI SSC. It means that retailers can now feel more secure with the ETP V5.5 POS solutions to provide a secure payment card-related transaction process for their end users.

Being PCI DSS compliant means that, ETP V5 software does not retain, block or store and securely delete any sensitive payment card validation data, provides secure authentication features and facilitates secure remote access to the payment application while maintaining a log of all payment application activity. The PA-DSS certification for ETP V5 Suite is especially significant for customers of ETP Store (POS) and ETP MobileStore (Mobile POS) solution, as ETP V5 is one of very few retail software solutions to be PA-DSS compliant on the market.

“Keeping our customers secure and successful is the number one priority for ETP. We continually push beyond the ordinary and develop omni-channel retail software solutions with secure payment applications that protect wireless transmissions, facilitate secure network implementation and remote software updates and encrypt sensitive cardholder data over public networks,” said Naresh Ahuja, Chairman & CEO, ETP Group. “PA-DSS accreditation is by no means a simple task. However, by accomplishing it, we make it easier for our customers around the world to apply for PCI PA-DSS certification, where the use of compliant software solutions is a key element of demonstrating their ability to protect sensitive card data.”

For more information on ETP V5.5 Omni-channel POS solutions, click here.

Point-Of-Sale Security – How To Avert Retail Cyber Attacks

ETP retail-pos

As point-of-sale systems adopt new-age Retail POS Software, retailers will have to brace themselves with the security threats that may come with it. Devices that handle credit and debit card information are at a constant threat from cybercriminals who want to steal such data.

New and emerging retail POS and Retail CRM Technologies are enabling retailers to exceed customer expectations. The customers in turn demand greater convenience and value. Greater convenience comes through greater connectivity between retailers and customers across multiple touchpoints be it channels, locations or devices. And such gratifying levels of connectivity offer convenience not only to consumers, but also to cybercriminals.

Lately, connected point-of-sale (POS) systems are being highly targeted by cybercriminals and specially-designed viruses for such purposes are further indication that all kinds of connected devices may be susceptible to attack now.

For more than 80,000 customers around the US who bought a $5 footlong sandwich at Subway, the second largest fast food chain with over 32,000 outlets in 90 different countries, it was a ticket to having their credit card data stolen by a band of Romanian hackers who later pled guilty to having stolen payment card data from the point-of-sale (POS) systems of hundreds of businesses, including more than 150 Subway restaurant franchises and at least 50 other retailers, using ‘sniffing’ software to make illicit charges. And those retailers made it possible by practically leaving their transaction information freely open to the Internet, letting the hackers ring up over $3 million, as mentioned in this article.

The cyber attacks on US retail giants Target, Neiman Marcus and Michaels Stores – which involved malware on POS systems – had a profound impact on sales and consumer confidence in the safety of credit-card information at retail POS terminals. Potential hauls for successful cybercriminals provide plenty of motivation to target POS.

“Retail cybercrime is the crime of the future,” says Dave Marcus, director of security and communications at security software firm McAfee. “Instead of coming in with guns and robbing the till, criminals can target businesses, root them from across the planet, and steal digitally.”

As retail businesses adopt more omni-channel retailing methods such as e-commerce, m-commerce, social selling, and mobile payments, standard online and mobile payment frauds also pose a problem, exposing confidential information and credit card data of the customers. This means that retailers could soon find themselves being attacked both online and on the high street.

Despite this worrying trend, by translating the same principles of security from the real world to the POS network, a security defence strategy can be put in place to prevent cyber criminals from gaining access to your sensitive, valuable data.

The ‘POS’tulates to be followed to avert cyber security attacks on retail POS system are:

• Create a response plan that will potentially address the incident of a cyber-attack. Test the execution of this response system on a periodic basis.

• Perform a thorough audit of data that is sensitive and confidential to keep a record of their storage locations on the network as well as their instances and volumes. This gives an understanding of where the valuable information is available.

• Get rid of any unauthorized instances of the sensitive data based on the company’s information governance policies, so that the exposure of such data is minimized.

• Create and regularly update standards of normal activity for each of their endpoints.

• Employ specialists who deal with information security to proactively fish out anomalies in real-time reports that are generated. These should be considered as signs indicating that the network’s security has been compromised and the attackers have access to the data.