Point of Sale System Security

Recent events surrounding point of sale (POS) system breaches in Target and Neiman Marcus showed how valuable regular magnetic stripe credit cards are to various breaches. In case of Target, malicious software has been installed that captured credit card information at the point of the swipe and PIN-entry. How the software has been installed on the network is still under investigation. However, one thing is clear; more security is needed at the point of the swipe to protect both customers and merchants from such fraudulent activity. At this point, there are two solutions available on the market that, if not prevent, will minimize the chances of such breaches occurring in the future. They are tokenization and EMV.

Let’s begin with tokenization, what it means, how it can protect the system and where to get it. The main point of tokenization is that credit card information is not transmitted over the payment network. Rather, it gets encrypted at the point of the sale and is transmitted as a code, which is only decoded by the credit card processor. This way nothing is being stored on the merchant POS system. This security measure has been available for quite some time. Unfortunately, the only way to obtain it is through merchant’s existing credit card processor and these companies opted for charging extra for this feature. The end result was that very few merchants chose to pay extra for it. Hopefully, in the future most credit card processing companies will offer this service for free.

The story with EMV, which stands for Europay, MasterCard and Visa is a lot more complicated. Basically EMV is a chip embedded in the credit card, which offers more security than a regular magnetic swipe. EMV credit cards technically are not swiped, but rather inserted in the readers. Because of chip being more complicated than a magnetic stripe, it is harder to steal information from the credit card. The EMV standard has been widely adopted in Europe and Asia, but gained little traction in the US. One of the main reasons for it being that EMV adoption requires a compliance of both credit card issuers and merchant service providers. Meaning that for the EMV to work the customer needs to have a credit card with an EMV chip and the merchant needs to have an EMV reader. So far, none of the major credit card providers have issued EMV enabled credit cards. Until they do so, EMV enabled point of sale terminals are simply a useless luxury.

Both tokenization and EMV will eventually arrive and become widespread from large retailers to small restaurants and shops. In the meantime, it is crucial, especially for small local businesses, to take steps in protecting their point of sale systems from security breaches. These steps include preventing unauthorized access to the POS computer by using strong passwords and access cards, banning Internet browsing on the stations and close monitoring of the personnel with access to the system. It is impossible to have a 100% secure system, but it is possible to minimize the security risk.