Are you providing your customers with the very best in point of sale (POS) data security?
On an almost daily basis, the news media reminds us of the risks associated with unprotected data as they report on each massive data breach that cost companies billions of dollars in lost value and remediation costs. Data breaches are not a matter of “if”, but more a matter of “when” as hackers get more and more creative. Many CEO’s think that meeting the basic requirements of the Payment Card Industry (PCI) for data protection will keep their point-of-sale (POS) systems from being compromised. Truth is, hacking into retailer POS payment applications is a recurring problem worldwide, even for retailers who meet compliance standards.
1. Know Your Data Breach Risks – Ask the Right Questions!
As CEO, security and risk management is your bottom line. You need to know if and how your product development team is following best practices to protect your company and your customers from a data breach. Most payment application vendors offer encryption and key management, however not all of them are following best practices by using an encryption key management hardware security module (HSM). An HSM keeps the encryption key physically separate from the encrypted data, making sure that the data a hacker retrieves from a compromised system is functionally unusable.
With tighter security standards for data encryption, encryption key management, and constantly evolving regulations, you have an opportunity to go beyond basic compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze, and share.
So, what can you do as a CEO to ensure your products are fully protecting your customers’ data? One important thing to do is start asking more specific questions of your product managers. Asking the right question can quickly expose data protection risks that you didn’t know you have.
Here are some sample questions:
- Where in our systems does sensitive data reside, even briefly, in unencrypted form? Could I get a list?
- What type of encryption do we use in our payment application for data at rest?
- How are we protecting encryption keys?
- Are any of the encryption keys stored on the same server with the protected data?
- Are we protecting our encryption keys with an HSM?
- Are we using industry standard encryption and key management?
- Are our encryption and key management solutions NIST certified?
There are really straight-forward answers to these questions. The lack of clear and unambiguous answers should raise an immediate red flag in your mind, and provide the beginning of a deeper discussion about data protection with your product development team.
2. Know What Your Customers Fear– Think Like a Hacker!
Awareness is the first step toward point-of-sale security. Retail payment systems are frequently hacked by criminals who are employed seasonally or temporarily, and given access to a system with insufficient security measures in place.
Help gain your customers trust by training them on the importance of good password management and system log monitoring as a part of their overall POS security efforts.
- A surprising number of retailers never change the factory passwords on their POS systems and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a payment application system relies on the merchant being lazy about password implementation and changes. Make sure your customers know best practices and you’ll be their hero!
- Hackers’ techniques have gotten more sophisticated and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their system log files. Do you train your customers in the importance of monitoring their system logs in real time?
3. Proactive Security Planning - Use Best Practices To Start With!
Keeping on top of point-of-sale security is essential for every business. Good encryption and key management is the cornerstone of good security. It can’t be an afterthought at the executive level; data security has to be a critical element in every risk management plan and conveyed well to your customers.
An effective data breach plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. The steady pace of data breaches reinforces the need for encryption as a first line of defense. Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective encryption key management, especially in customer data and cloud environments. There’s no longer an excuse not to properly protect your POS payment application system and educate your POS system customers in security best practices.
In this complimentary eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication CEOs and CIOs", authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:
- Business risks associated with unprotected sensitive data
- Tools and resources to begin the discussion about data security in your company
- 5 Common misconceptions
- Actionable steps YOU can take