You should understand that there are criminals out there who do everything they can to ensure that they cause havoc to any business and yours is no exception. So, it is important for you to take preventative action so as to ensure that your POS and other systems are secure at all times. Here are tips to help you improve your POS system security:
Restrict remote access
There has been an increase in stolen merchant credentials and one of the problems has been the use of the same password for all organizations that are managed by the vendor. Because of this, it is imperative to limit remote access into Point-of-Sale systems, especially by third party vendors.
Make your passwords stronger
The passwords used for accessing POS systems remotely should not be the factory defaults, dictionary words or the names of your POS vendor ones. In fact, they shouldn’t be weak at any one given time. Ensure that your vendor is not using the same password for all their customers. You can even call to verify.
Maintain customer privacy
Never store full credit card numbers in plain text. In fact, the credit card machines should be the ones that truncate card numbers such that only the last four digits are shown on the receipts. Also, don’t record personal information on the receipts especially the sales receipts. Personal information and account numbers could easily be used to commit fraud. And card holder accounts as well as personal information should always be kept separate, under tight security. Don’t even attempt to transmit this information via email or unsecured gateways.
Refrain from personal use on the business equipment
People should not attempt to browse the web, use social media, play games, browse email or do anything else other than POS related activities on the POS systems. This will be a sure way to invite intruders.
Maintain secure key loading techniques
When host security modules and POS PEDs are first initialized, they need to be securely loaded with strong encryption keys. And the principal of dual control and split knowledge should be always in place in order to maintain the secrecy of the key one is entering. And one person should be prohibited from having access to each and every component of a single encryption key.
All devices should have unique keys
The cryptographic keys that reside within a PED should be unique to the PED device. This way, you make sure that your PEDs are not an easy or attractive target for attacks. Technical staff should carry out a regular validation of keys so as to do away with predictable, default or otherwise simple keys.
Never log PIN blocks
It is a fact that PINs are protected in an enciphered or encrypted form, but they should not be retained in transaction messages in those journals or logs. Also, any temporary logging task for troubleshooting or transaction research should include the active removal of PIN blocks. And this is important because it prevents harvesting of encrypted PINs.