Ensuring Point of Sale Security (Both Online and Off)

When you’re operating a business, customer trust is paramount. Your shoppers trust you to be able to provide what they need, when they need it. They trust you to treat them fairly. Perhaps most importantly, they trust that conducting a transaction with you isn’t going to come back to bite them. If your customers’ credit card information is stolen because your payment solution wasn’t properly secured, their trust, and subsequently their business with you, will go right out the window.

Enter Point of Sale (POS) security. The prevention of unauthorized access by hackers looking for ways to steal customer information. By providing data protection and blocking up any security gaps, you can secure your customer transactions and ensure you’re never on the chopping block for leaking sensitive information – not to mention avoid potential massive fines from the card brands.

Consider the following points when addressing the security of your POS systems, both online and on-location.

1: Point-To-Point Encryption

Ensure that you have software in place to protect your customers’ data from exposure. Point-to-point encryption tools encrypt your customers’ data as soon as it’s received, and encrypt it again when it’s sent to the POS server. In other words, whether an attacker is trying to steal the data from the terminal or intercept it on the way to the server, you’re covered.

 2: Physical Location

You’ve probably heard the term “skimmer” before in reference to hijacking data from a customer’s card. Whether you still swipe cards or use a newer chip machine, a common tactic used by fraudsters is using physical equipment to tap into the POS terminal and intercept the information. Key loggers can record your PIN, and most of the time these devices are hidden within the terminal itself.

It’s much easier for a hacker to install a skimmer on a device that is simply sitting at a front desk or bar then it is to install one locked in a security case. If your terminal is sitting in view of the entrance to your location, consider keeping it under lock and key and under the supervision of a security camera. Hackers search for low risk, high reward terminals and a simple security case and camera are often more than enough to make your terminal an unattractive option.

If your terminals have a wireless connection, such as those used by servers at a restaurant, ensure you have a system in place to keep track of the physical terminals, and make sure you write down their individual serial numbers. Any terminal that goes missing for any length of time should be immediately suspect. In fact, merchants dealing with significant sales through their POS terminals should make checking for tampering part of their daily routine.

3: PCI Compliance

One of the most common issues we see with new merchant services clients here at Schooley Mitchell is with PCI compliance. The Payment Card Industry Data Security Standard (PCI DSS) is a set of procedures maintained by the PCI Security Standards Council. It has tons of guidelines revolving around authentication, encryption, vulnerability testing, antivirus, and more. These standards are designed to protect credit card information by ensuring that the systems used to transmit the data are sufficiently secure. Failure to adhere to these standards drastically increases your risk of data theft.

Validating your PCI compliance involves filling out an annual questionnaire and, depending on the scope of your own POS terminals, completing quarterly scans to check for vulnerabilities. In addition to keeping data secure, maintaining PCI compliance can also reduce the fees you are charged by your merchant services provider on every transaction. The safer your data, the smaller the risk you represent to the credit card companies.

4: Address Verification

You should always use an address verification system (AVS) if you accept online sales. Address verification is done by comparing the billing address from the purchase “request” with the address data on file at the issuing bank. This is an important step in preventing fraud, because a criminal stealing a card number often has no access to the billing address associated with the card itself. If they attempt to use the card for a purchase and the address doesn’t match, your AVS system will alert you to the discrepancy. Between your AVS and proper requirement of the CVV number on the back of your card, a fraudulent charge can be avoided even if the entire credit card number is stolen.

5: Suspicious Purchasing Patterns

If you accept payments online, you need to be aware of the warning signs and red flags that go hand-in-hand with online fraud. Signs include exceptionally large orders paired with one-day shipping, emails comprised of long strings of numbers and letters instead of real words or names, and several orders from a single IP address using multiple different credit cards. While none of these things are definitive proof of a fraudulent transaction, they can represent early warning signs, especially when used in tandem.

By monitoring for these red flags, along with utilizing your other fraud detection tools, you can help even the playing field and catch fraudulent transactions before they cause significant damage to you, your processor, and your customers.

By paying special attention to the points listed above and consulting with your merchant services provider directly or through a merchant services expert, you can maintain your reputation as a safe and reputable merchant, avoid the fees that go hand-in-hand with a data breach, and protect both yourself and your customers.