Historically, merchants worked with a limited number of point of sale (POS) systems, such as cash registers and credit card readers, which limited the size of the attack surface. The explosive growth in the types of POS systems and related applications is creating more endpoints on-premises and in the cloud, resulting in a much larger attack surface.
You needn’t look far to find the devasting impacts that an attack to POS systems can pose.
E-commerce sites, mobile pay options, kiosks, contactless readers, phone-to-phone payment exchange and many other endpoints offer attackers an array of entry points. As applications move to the cloud, exposure spreads, requiring different security techniques.
Loyalty programs, which collect personally identifiable information (PII) such as full names, birth dates, birthplaces, addresses, fingerprints, identification numbers and telephone numbers, increase risk. From the enemy’s perspective, the value of PII is increasing compared to the value of credit card numbers. This is due, in part, to standards like EMV chip technology, which is becoming the global standard for credit card and debit card payments. It provides more protection to the credit card number.
Emerging privacy legislation pivots more risk toward PII. This means that enterprises must put a greater emphasis on protecting PII and cardholder information, which flows throughout the enterprise, along with credentials of the people who administer the data and network.
Along with protecting credit cards, PII and securing endpoints, merchants must keep availability high while making the payment process as easy and reliable as possible. Organisations frequently omit security from the software development lifecycle because it may cause delays and add cost. Without security, however, the risk of vulnerabilities in the POS or application increases significantly. When a vulnerability is exploited, an application may slow or go down – or be taken down. None of these outcomes support a positive user experience for customers who want to make purchases or interact with their loyalty programs.
Research legitimises concerns about availability and application security. Ponemon Institute reports that nearly 75% of global enterprises were affected by data breaches due to unprotected applications. But still, these companies say they have little or no confidence that application developers in their organisation practice secure design, development and testing of applications. In my experience, I’ve found that many organisations do not have a good handle on DevOps, do not know which applications exist in their environment, and do not catalogue and centrally manage APIs.
When an application is exploited, availability – along with integrity and/or confidentiality – may be sacrificed. Therefore, including security in the software development lifecycle is no longer optional for organisations that want to keep availability and customer loyalty as high as possible.
Ensuring availability requires enforcement of the proper security controls as well as agile security teams that can securely support development requirements. Therefore, it is vital for organisations to establish a software development lifecycle program that sets out a process for planning, creating, testing, and deploying applications.
Understanding Risk Factors
Third parties can increase risk for merchants who outsource their POS system or parts of it. Ideally, third parties directly involved in the payment transaction process have PCI requirements to potentially include a formal report on compliance (ROC). If a third party answers “No” to the question, “Is your business PCI compliant?” merchants need to assess the risk and decide next steps. These may include helping the third party achieve compliance or utilising an alternative third party – with the understanding that compliance does not always equal security.
An additional consideration is that the always-on nature of businesses in retail, travel, hospitality, and healthcare makes it nearly impossible for security teams to take down networks for maintenance – all the more reason to have high-availability architecture and to build in redundancy.
Checking for indicators of compromise (IOCs) once or twice a week no longer suffices in a world where cash registers are everywhere. Attackers follow the path of least resistance, and that path may begin with endpoint vulnerabilities.
Securing multiple end devices is no doubt incredibly challenging and daunting for businesses with the expanding amount of POS types and applications used today. But it is vital given they are a lucrative target for malicious threat actors.
Businesses therefore need to ensure they are implementing solutions that help them identify endpoint security gaps and find the right combination of services and technologies to remediate those vulnerabilities, as failure to do so could result in being the next high-profile victim of an attack.