The Point-of-Sale Magazine :: Security at the Point-of-Sale

All about

security at the point-of-sale

This issue includes a dozen exclusive articles focused on security at the Point of sale, the website, and the retail environment. Contributors include: • • • • • • • • • • • •

Tom Schoen, BTM Global Djamel Toubrinet, Cegid Dean Coclin, Symantec Henry Helgeson, Cayan George Rice, Hewlett Packard Steve Montross, CPI Card Group Ben Wilson, DigiCert Tim Jarrett, Veracode Gregory Grant, Phoenix Managed Networks Nicole Bryan, Sterling Payment Technologies Malay Kundu, StopLift Vincent DeMaio, SmartPower Systems Sarah Beldo, Sift Science and more...

security • •

ISSUE 5 | 2017 | $8

www.PointofSale.com

Critical POS System Vulnerability Resolved with “Easy Fix”

by Vincent DeMaio, SmartPower Systems, Inc Experienced POS resellers and integrators upgrade “accessory” to key system component to resolve vulnerabilities that cause unexplained system crashes

An insidious threat is putting many retail and hospitality POS systems at risk. This fatal flaw in the installation of these systems takes many of them down each day across the country, creating serious problems for countless stores and restaurants. The threat doesn’t come from viruses or cyber criminals. Instead, it comes from the wall socket. Many resellers today still do not acknowledge or accept the extent of the vulnerability of POS systems caused by poor power quality. Frustrated by “no problem found” error codes and unexplained system crashes, not to mention upset client calls, they opt instead to replace different component parts of the system in the hopes the problem will stop. When the problem continues,

PointofSale.com | Security ‘17 | 2

more service calls are made and more parts switched out. Perhaps a rudimentary surge protection device is eventually tried, but that amounts to little more than a Band-Aid® and doesn’t solve the problem either. Ultimately, the system develops a reputation as unstable. For an issue that has such a significant impact on the overall functionality and uptime of the POS system – and the reputation of the reseller that specifies and installs it – the cautionary tale of “dirty power” seems to resonate most with those longstanding firms that have learned the lesson the hard way. Those that have, including many that service the largest, national-brand accounts, make including proper power conditioning in each POS package they sell a mandate, not an option. “If you want to avoid any kind of interruptions in your day-to-day operations, you have to attack what I call the ‘terror in the outlet,’” says Samer Khashan, president of Team One Repair, a Suwanee, GAbased distributor/reseller of POS system for several nationally-recognized clients like interstate banks and restaurants. “To protect your customers’ systems and not have to make repeated service calls, it is well worth the investment to install proper power conditioning equipment right up front.” ARTICLE CONTINUED ON POINTOFSALE.COM

Cover image: https://flic.kr/p/qfWcPy

HOLIDAY FRAUD PREVENTION 7 Tips from the Pros

By Sarah Beldo, Sift Science Is anyone ever really ready for the holidays? It’s hard enough to keep up as a shopper, but if you also work in e-commerce fraud prevention, you know you’re guaranteed a crazy ride. To help you navigate the seasonal rush, we crowdsourced some expert strategies from fraud and risk experts who’ve already logged a few seasons in the holiday trenches. Ho, ho, ho! – here you go: 1. Plan for adverse scenarios. Start the holidays with well prepared SOPs (Standard Operating Procedures) for anything you think could go wrong. Think of things like communication procedures for a fraud attack, handling for staffing or quick decisioning when the manual review queue grows high, and steps to take for internal or external system downtime. With prepared documentation and agreement from leadership on how to handle fraud risk tolerance in various adverse scenarios, you can focus on fixing issues if they arise instead of figuring out how to fix them. – Caleb Callahan, Director of Payments and Fraud at Jet.com 2. Adapt fraud logic to seasonal buyer behavior. Anticipate that your customers’ purchasing behaviors may change during the holidays, and update your fraud logic (both your models or rules) accordingly. Depending on your business model, be aware that your average transaction value may increase as well as the count of transactions. Adjusting your fraud logic will help keep false positives low. You don’t want to find a legitimate user whose order seems to be higher than usual and wrongfully attribute it to fraud! – Tal Yeshanov, Risk and Fraud Expert

3. Optimize manual review to enable good buyers. Holidays = abnormal shopping patterns, which can make discerning fraud vs. gift shopping very hard. Since the holiday shopping behavior is abnormal, it can greatly increase the chance that your team will be rejecting good orders incorrectly. To help mitigate this, find a core 2-3 indicators of good buyers, then make that fundamental to the manual review process. When your team sees these indicators, accept the order without further analysis. Further analysis will confuse the auditor and increase the chance of making the incorrect decision (most people are risk averse and don’t want to process a potentially bad order). Also, create firm caps as to how long a team should review orders for. – Courtney Bode, Marketplace Operations Manager at Wanelo 4. Consider relaxing your fraud prevention. When you are in a good place with your fraud and chargeback levels, you should consider relaxing your protection slightly, to enable more revenue while taking into account a small increase in fraud. This should happen cautiously and in a controlled manner, of course. If you manage this carefully, the increase in revenue will far outweigh the additional fraud risk. The fraud team is also a sales enabler, as much as it is a fraud prevention team. – Danièle Thillmann, SVP Fraud and Customer Service at Green Man Gaming CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 3

3 CYBERSECURITY TIPS FOR RESTAURANTS: Keeping your Data Secure

by Toast Lab Can your restaurant afford to survive a data breach on its computers or credit card machines? Are you prepared to recover from stolen data and credit card information? The threat of cybersecurity is not slowing down it’s only getting started. This can have real ramifications on your restaurant. • 68% of funds lost from cyber attacks were declared unrecoverable. • 99% of computers are vulnerable to cyber attacks. • It takes more than 5 months (170 days on average) to detect an attack after it has occured. Your restaurant needs the best security capabilities to avoid a costly and devastating fate. That’s why we’ve developed these quick and easy-to-implement cybersecurity tips for restaurants. Tech-savvy or not, these tips are relatively straightforward and their importance is easy to understand. 1. Use Modern, Secure Technology Cyber attacks can come from online and from wireless access points, but your hardware is also susceptible. This means your restaurant technology needs to have certain features to keep your data secure.

Your hardware and machines should be tamper-proof to stop anyone from physically accessing your system. Your point of sale (POS) system and credit card reader are of particular importance here - both of which serve as physical access points and need to be made secure as much as possible. Your software should be up-to-date and have be equipped to fight off cyber threats to your information center. With older legacy POS systems, this is sometimes too much to expect. Older POS systems can store information on-site in a back-room computer. This is a dated practice and can be detrimental. CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 4

PAYMENT SECURITY

For The

SMR

Small-to-midsize retailers have long escaped the clutches of the Payment Card Industry Security Council. It’s time they gave payment security another look.

Every network and every device poses a potential threat:

When you suffer a breach, you’re responsible for:

$ $ $

Reimbursement of cardholder losses.

Scan for application vulnerabilities continuously and proactively.

Any costs associated with the notification of affected consumers.

Don’t overlook the security of third-party partners.

Case management fees and penalties from card brand networks ranging from $5,000 to $500,000.

Keep hardware and software updated and patched.

Where Is The Risk?

Level 1 and Level 2 merchants have been under the microscope, but there are 2,500

2,000

By focusing its scrutiny on the upper echelon of retailers, the PCI SSC sets precedent with a manageable group.

According to the PCI SSC, small retailers are the victim in 80% of all hacker attacks in the U.S.

times more Level 3 and 4 retailers in the U.S. That’s how many Level 1 and Level 2 merchants (those who process between one and six million card transactions annually) there are in the U.S.

80%

5,000,000 That’s how many Level 3 and Level 4 merchants (those who process fewer than a million card transactions annually) there are in the U.S.

69% 69% of merchants believe that there’s “little or no chance” that they would be the victim of a data breach. PointofSale.com | Security ‘17 | 5

$1B

47%

Despite PCI scrutiny, the data breach at Target will cost the retailer more than $1 billion. -Jefferies

A full 47% of Level 4 merchants are “unsure” or “unaware” of PCI DSS. -ControlScan

Personalization vs. Data Security: Three Questions to Answer

By Tom Schoen, President, BTM Global If you’re wondering whether your customers would trade some of their personal data for a more personalized shopping experience, it’s likely that the answer is yes. Multiple studies and surveys have revealed this, including a recent survey by Salesforce Research in which more than half of respondents were willing to share personal data in exchange for personalized shopping experiences.

shape how your organization thinks about and balances the needs of data collection and security. Begin with your business model A good way to start tackling these questions is by looking at your business model. Your business model can serve as a valuable resource by helping you explore the value of personalization versus the risk of keeping it safe. How much value can you potentially get out of personalization? What data do you need to collect to maximize that value? What are the risks associated your approach? What could mitigate those risks? Can you honestly justify the cost of personalization? With your business model as a starting point, you can determine the value and needs around customer data, along with the resources required to help make it happen.

This isn’t a slam-dunk win for retailers, however. Yes, you want a better understanding of your customer base in order to shape a personalized shopping experience. But consumers’ willingness to give you their data – beyond basic contact information – comes with the expectation that you’ll do everything in your power to safeguard it. When high-profile security breaches are common in the headlines and consumers’ skepticism about data security is growing, how do you strike a balance between collecting, analyzing and storing the data while securely handling it? Is it best to store it within your company rather than in the cloud? Who do you share the data with, if anyone? What about your customers’ perceptions of how you’re using their information? There isn’t a one-size-fits-all answer to any of these questions, but thinking about each one can help PointofSale.com | Security ‘17 | 6

Where should you store customers’ data? Do you host this sensitive information yourself or let your third-party vendor – which perhaps has more security expertise and resources – receive, analyze and store it in the cloud? How will the data be transmitted? If you keep it with you, how do you coordinate and decide on the security measures for safeguarding it? Whether you choose to store the data on premise or in the cloud, there are benefits and drawbacks to each scenario. For instance, one benefit of the cloud is that it enables smaller retailers (that may lack adequate IT resources to host it themselves) to collect information and learn more about their customer base. In addition, you can rely on the security and data expertise of your partner and trust them to handle everything properly. The flipside is that the cloud can be a security liability; someone else (your partner) is receiving and managing your customers’ data. The more transactions that the data goes through and the more entities that touch the data, the greater the risk of a security breach. CONTINUE READING ON POINTOFSALE.COM

INTEGRATION OF SELF-ORDER KIOSKS and POS

by Juan Perez, CEO, ADUSA, Inc. Self-Ordering Kiosks are becoming more popular in Quick Service and Fast Casual restaurants. Most recently McDonalds announced that they would be rolling out self-order kiosks to all of their 14,000 US stores. Many of the other major QSR players have followed suit with their own trials, pilots and rollout announcements, while in the Fast Casual space companies like Panera have been executing their own kiosk rollout strategy for some time. Beyond the kiosk, the mission-critical system that these companies all have in common is of course their Point of Sale. But while the POS is a common component in all of these companies, it is often times from a different POS provider, given the number of options there are to choose from. This diversity of POS systems creates some challenges for the retailers now wanting to integrate kiosks, and also for the kiosk solution providers themselves. There is, however, an organized way for both retailers and solution providers to work together and effectively go about the business of exploring kiosks and finding the best fit. The goal of both parties is to find the combination that provides the desired self-order kiosk function in a solution that is also well integrated with their POS, so as to mitigate issues with respect to cost, redundancy of data, support and long-term cost of ownership. Keep in mind that what you are looking for as far as integration boils down to two key areas:

1. Integration of sales data on the kiosk into the sales database that is on the existing POS. You want the sales data from the kiosk to be included in the total sales reporting you get from the POS, but you also want to be able to separately see the sales that are being generated on just the kiosk; 2. Integration of back-end systems, including payment processing and KDS. Through the POS, the kiosk should be able to make use of the payment processing/payment gateway services you already have in place. By the same token, the kiosk should be able to send prep information to the POS so that it in turn sends it to the KDS. In other words, leverage what you have. You should not be paying extra for separate payment processing and KDS services for just the kiosk; nor should you even consider those options from a pure operations standardization standpoint. Start with Your POS Provider Some POS solution providers have added self-ordering kiosk modules to their existing solution portfolio. This is clearly the safest and most expedient way to find a kiosk solution that is already fully integrated with your POS, since presumably the POS vendor will have done a good job with the integration of this new module into their existing POS framework. The vendor should be able to articulate how their “native” integration addresses both of the key points described above.

ARTICLE CONTINUED ON POINTOFSALE.COM PointofSale.com | Security ‘17 | 7

Four Reasons why Retailers are Choosing

Cloud POS

By Djamel Toubrinet, Cegid

In recent years, an increasing number of retailers have made a transition from traditional POS to cloud POS architecture. This includes not only large organizations, but smaller operations as well. While such change can be attributed to many catalysts, here are four of the main reasons why retailers are choosing cloud POS today: Lower cost of entry, as well as a lower total cost of ownership (TCO) A popular cloud delivery model today is Softwareas-a-Service (SaaS). Retailers pay less at the outset for SaaS because there is no need to purchase a software license. Instead, POS software is available on a monthly subscription basis. Subscription rates vary depending on individual retailers’ needs, but most come at reasonable prices. The monthly subscription fee covers the use of the software, hosting services, as well as any maintenance, development and upgrades, leading to decreased TCO expenditures. According to a study by research firm Hurwitz & Associates, cloud POS solutions can reduce the TCO for POS software by up to 55 percent. Cloud POS gives retailers anytime, anywhere access to data From wherever in your operation you happen to be—or from any location with an internet connection—your cloud POS solution enables you to access sales information, inventory counts, labor use percentages, productivity reports and other

mission-critical data in real time and for all stores. With Cloud POS, retailers’ POS software—and consequently, all of their data—can be viewed from mobile devices. This gives you enhanced control of your entire operation, 24 hours a day, seven days a week. Smooth upgrade path As stated above, monthly fees for SaaS include instant upgrades to the technology, which are performed by the vendor. Upgrades can be managed remotely and are delivered automatically, eliminating both downtime (along with the headaches and potential loss of business that accompany it) and last-minute scrambles to obtain an upgraded version of the POS software. Overall productivity is improved as well. Additionally, because cloud POS software is hosted on a remote server rather than in-store, there is no need to upgrade hardware or make provisions for additional data storage space as the volume of customer and inventory data in your system increases. Enhanced data security With a cloud POS solution in place, the risk of data loss from breaches and virus attacks is reduced because all data is stored in a secure data center. Such a center is far more secure than any data storage environment retailers might be able to maintain on their own. Reputable software providers work with security solutions providers to ensure the integrity of all data in their care. Cloud POS systems also allow for the use of advanced security measures, such as encryption, to protect data from viruses and breaches. And as a bonus, there is no need to worry about backing up or losing data. Retailers do not incur the cost of reinstalling system drivers should there be a power outage or hardware malfunction. Cloud POS isn’t for everybody. However, its benefits make it an option worth exploring by retailers of all sizes. •

PointofSale.com | Security ‘17 | 8

SECURITY

9

NEED POS? CLICK HERE for a free POS QUOTE CLICK HERE for a list of LOCAL POS CONSULTANTS in your state!

Be sure to visit these websites for useful POS information and free resources: • •

•

•

POS-Advice.com - 100% focus on restaurant POS POSforum.net - a POS support forum where users share information and answer tech questions for products, including Oracle/Micros and Aloha free. Restaurantsoftwarelist.com - A list of technology solutions for restaurants and hospitality. Find developers, manufacturers, resellers and processors. BarCode.com - Great content on bar codes, bar code printing, labels, bar code supplies, RFID, IoT, UPC codes, QR codes and much more. Over 3,000 articles and completely free. Includes a free barcode label making tool. Need to buy a bar code? We can help you there too.

January 14-16, 2018 NRF Big Show & EXPO

NRF 2018 is Retail’s Big Show. It’s retail’s most important three-day conference, which brings together the largest gathering of industry executives for discussions of the latest industry trends and gives attendees an unparalleled view into how retail brands of all sizes are transforming themselves for the digital age.

February 6-9, 2018 Retail Loss Prevention & Profit Protection, Hong Kong

Responding to industry demand to maximize business profitability, Retail Loss Prevention & Profit Protection Summit 2018 taking place in Hong Kong promises to be the global platform and Asia’s #1st for retail industries’ leaders to share best practices and improvement strategies.

February 6-8, 2018 Future Stores Miami

Future Stores is where America’s most innovative omni-channel and in-store experience professionals meet and learn. We gather the highest level executives in the retail industry to focus on in-store innovation and bridging the gap between physical and digital retail environments. Our program is created with extensive research and detailed surveys from past attendees, lending insight on what lies ahead for the in-store experience.

Want to add a trade show? Click here to contact us.

WHY YOUR BUSINESS WEBSITE SHOULD WEAR AN “S” by Dean Coclin, Senior Director, Business Development, at Symantec and a member of the CA Security Council The number of cyber-attacks organizations come under every day is staggering - and growing every year. Attackers are always evolving and becoming more sophisticated. Yet they still rely on many of the same tactics they’ve been using for years to trick people into visiting fake web sites, or slip past companies’ security systems. The Certificate Authority Security Council (CASC), an advocacy group committed to the advancement of web security, is leading the effort to protect both your customers and your brand reputation by requiring visitors to your web site to add an “s” to the “http” in their browsers’ address bars. Sounds simple, but behind that letter “s” are advanced security technologies and best practices that ensure your customers’ interactions with you are secure. The Threat Landscape As we head into the busy holiday shopping and travel season, protecting your customers’ information has never been more challenging in the face of the sheer number of attacks on organizations of all sizes and across all industries. Successful attacks against large multinational enterprises and government agencies make news headlines. But small businesses are prime targets too. 71 percent of cyber-attacks are aimed at businesses with fewer than 100 employees, according to a report by the U.S. House Select Committee for Small Businesses. That’s why the Committee recently advanced the Improving Small Business Cyber Security Act of 2016, which now awaits the Senate’s consideration. The bill amends the Small Business Act to authorize the Small Business Administration (SBA) to make grants to small business development centers (SBDCs) to help businesses harden their security postures. The SBA’s Top 10 Cybersecurity Tips for small businesses includes recommending that businesses protect all pages on their public-facing websites, not just the checkout and sign-up pages. It’s great adPointofSale.com | Security ‘17 | 10

vice for any size organization, and it’s why CASC advocates for the adoption of digital certificate best practices and the proper issuance and use of digital certificates by Certificate Authorities (CAs), browsers (i.e., Firefox, Google Chrome, Microsoft Edge), and other interested parties. Add the “S” The four letters, “http”, are known to technical and non-technical users alike as the beginning of any web address. That’s about to change, and soon you won’t be able to go to many popular web sites without using “https”. This indicates that a web page uses the security protocol known as TLS (formerly known as SSL) to indicate that encryption is in place between the server and the user’s browser. The adoption effort is well underway. Some of the biggest names on the Internet have already adopted HTTPS, including Facebook, Twitter and Netflix. Google announced more than a year ago that its adoption of what it calls “HTTPS Everywhere” will have a positive impact on search rankings. There are other business benefits. Google encourages site owners and their website managers to adopt https to gain a competitive advantage in search engine rankings. As a small business owner, you and your website manager – whether that person is on-staff or you partner with a third party - should be aware of the six key ways this will affect your customers’ experiences and interactions with your site: 1. Clear, visible warnings: Web browsers will use visual cues to alert users of non-https connections. For example, Google Chrome will highlight insecure pages with red X in the address bar. They will also warn if an insecure page asks for a password or credit card by showing the words “Not Secure”. Firefox plans a similar warning for sites requesting passwords. In the future, both will transition from an information warning to a red triangle which is more noticeable.

CONTINUE READING ON POINTOFSALE.COM

CASE STUDY: SMALL RETAILERS ARE GOING BIGGER WHEN IT COMES TO PAYMENTS SECURITY

by George Rice, Director of payments for HPE Security at Hewlett Packard Enterprise Data breaches are damaging for every company that suffers them, no matter the size. Unlike their larger peers, however, small businesses frequently aren’t given the chance to recover from the financial and reputational impact of a breach. According to a report from The New York Times, sixty percent of all online attacks in 2014 targeted small and midsize businesses.1 That same year it was found that nearly three-quarters of companies that “suffer major data loss” shut down within 24 months. Combating cyber criminals can be tough for businesses that lack the technical and budgetary resources of a large enterprise. Partners with the expertise and perspective to support the unique needs of small businesses can be few and far between. Epicor Software Corporation is one such partner. It was founded to serve just these types of businesses, and today the company supplies state-of-the-art enterprise resource planning (ERP) solutions to small and mid-sized retailers in North America. This includes everything from payments and finance systems, to merchandise sourcing and inventory management, to business intelligence and cross-selling in-store, online, or on mobile apps. In 2015, enterprise-grade security from Hewlett Packard Enterprise (HPE) joined the list of options available to the 5,000-plus Epicor retail customers. Epicor considered a wide range of approaches to data security before settling on HPE SecureData Payments, including implementing alternate gateways or its own internal data encryption, as well as investigating commercial offerings from vendors such as

TransArmor and Bluefin. HPE’s Secure Stateless Tokenization (SST) and Format-Preserving Encryption (FPE) proved to be the difference, providing Epicor and its retail clients’ full end-to-end protection from the point of sale (POS) terminal all the way through the payments lifecycle. “When we took a close look at HPE SecureData Payments, we liked what we saw,” says Matt Mullen, vice president of strategy and product at Epicor. “It was already used by other top retailers in the space where we compete, and HPE SecureData Payments offers a deployment framework that allowed us to bring our data security solution to market in a very easy and affordable manner.” The initial implementation was finished in just seven weeks and was seamlessly integrated into Epicor’s systems. Today, Epicor hosts the software in its cloud-based payments gateway, which, in turn, is hosted by Amazon Web Services (AWS) across six fully redundant AWS availability zones in three different regions. Security and resiliency is built in to the approach, ensuring exceptional protection from breaches and down-time.

“Unlike their larger peers, small businesses frequently aren’t given the chance to recover from the financial and reputational impact of a breach.” This multi-tenant, multisite gateway handles the full roster of tenants identically, with all six availability zones providing instant backup for each other. That way, if one site goes down, the other five pick up the slack and continue processing payments. HPE SecureData Payments plugged into the environment without much customization, a key factor in Epicor’s choosing it as the go-to security mechanism for guarding sensitive transactions at the POS.

CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 11

Security And Convenience: Retailers & Their Customers CAN Have It All By Steve Montross, CEO, CPI Card Group Merchants understand that providing customers with as many ways to pay as possible enables sales and improves customer satisfaction, making it a critical business priority. At the same time though, merchants also need to protect themselves from the possibility of fraudulent chargebacks that eat into profits. Merchants don’t have to choose security or convenience. The payments transformation in the U.S. is one that will play out over the next several years, driven by the dual pressures of security and convenience. The key for merchants is to understand the full context of changes in order to incorporate them into your business strategy and explain them to customers to smooth the way. Here are a few key observations that can help you make the best decisions for your business and educate your customers about the security and convenience of their payments: Easing the Pressure Much has been written about the troubled rollout of chip cards in the U.S., from longer processing times and customer frustration to difficulties merchants are having getting their new POS technology certified. It’s true that there is currently a bottleneck in the EMV conversion process at the merchant acquirer and processor level. Merchants are frustrated by the backlogs, and concerned about chargebacks they might be responsible for in the interim. But for all the hand-wringing, there is no doubt that these hurdles will get ironed out.

First of all, both MasterCard and Visa are taking steps to smooth the transition, reducing the number of tests required in the certification process to shorten the time it takes to get terminals online. Visa, MasterCard and American Express have also revised their chargeback policies to limit the impact of fraud on merchants during the transition period and launched new software designed to quicken EMV chip transactions. With all those improvements in the works, merchants can assure customers that those couple extra seconds at the register won’t be permanent. An Inevitable Improvement More important than the immediate easing of the pressure, though, is the inevitability of EMV’s success. Europe and Canada both converted to EMV years ago and haven’t looked back. Looking at examples in other countries, we can see that after a period of adjustment, everyone – consumers, merchants, issuers – adapts to the new technology. Europeans and Canadians now embrace inserting their chip cards, because they’ve seen major benefits in terms of fraud reduction. In fact, according to the European Central Bank, fraud carried out at POS terminals dropped 24 percent between 2007 and 2011, primarily due to the widespread adoption of EMV. The U.S. is currently ranked second among twenty countries in terms of experiencing the most credit card fraud – with 46 percent of American credit cardholders having experienced fraud at least once in the last five years – according to a recent global survey from ACI Worldwide and Aite Group. CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 12

to have an SSL/TLS certificate for online checkout (or whenever you’re transmitting cardholder data). SSL/ TLS certificates are sold by Certification Authorities that verify that the owner of the domain has a cryptographic key. Not all SSL/TLS certificates are the same. Different kinds of certificates display different information. Some only show the domain name while others show more information about the company. The most basic type of SSL/TLS Certificate is the Domain-Validated (DV) certificate. While a DV Certificate allows for encryption to take place between the browser and the server, a DV certificate does not contain any identification information other than the domain name. These SSL/TLS Certificates are considered lower assurance because they don’t verify the

How To Choose The Best SSL/TLS Certificate For Your Online Presence By Ben Wilson, Vice President of Industry Relations and Compliance, DigiCert, Inc. Buying an Organization-Validated (OV) or Extended Validation (EV) SSL/TLS Certificate will enhance your website’s reputation, give customers the assurance they need to complete secure transactions with confidence, decrease cart abandonment rates, and build long-term customer loyalty. More and more people are spending money online than ever before, and online accounts are a major customer touchpoint, so as your business grows, you might be considering an e-commerce storefront. However, some potential customers may be concerned about the security of their credit card data. As a result, they are likely to abandon their purchases—it’s estimated that over 50% of consumers regularly abandon their shopping carts, and that is lost revenue. Establishing trust is mission critical. Consumers need to trust you in order for them to transact business confidently with you. An SSL/TLS certificate provides the most basic level of trust—the padlock icon in the address bar of your customer’s browser. Hence, SSL/TLS certificates are a critical building block for secure electronic commerce. Because of the security that they provide, the Payment Card Industry Data Security Standards (PCI-DSS) also require you

identity of the domain owner. The only check control of the domain (owner information in WHOIS), which can be anonymous. Because DV certificates do not contain any identification information, you cannot be sure it’s really the merchant you think it is. Companies using weakly validated certificates risk losing the trust of customers who rely on SSL/TLS certificates to reassure them about the company behind the website. Without such reassurance, customers will go elsewhere to conduct their business. There are two other types of SSL/TLS certificates— Organization-Validated (OV) and Extended Validation (EV). Both types of certificate CAs are required to exercise diligence to ensure that information in the OV/EV certificate is accurate. (OV Certificates are generally less expensive than EV Certificates because there are fewer requirements that accompany the issuance of them.) In these types of certificates, attributes such as business name, location, address, incorporation or registration information have been checked by the CA. The same is not true for DV certificates. OV/EV certificates involve a two-step validation process—first, verification that the applicant owns, or has legal right to use, the domain name, and second, verification that the applicant is an accountable, validly existing entity. DV certificates skip the second, business-identity-validation step. CONTINUE READING ON POINTOFSALE.COM PointofSale.com | Security ‘17 | 13

“StopLift keeps an honest person honest and makes a dishonest person honest.” – Chris Ajlouny, owner of 11 Piggly Wiggly supermarketsYet, the new Piggly Wiggly employee whom StopLift’s Scan-It-All™ video analytics technology caught stealing in its 2 millionth scan avoidance incident thought he could outsmart the smart cameras. Ajlouny immediately fired him. StopLift Checkout Vision Systems has detected and confirmed more than 2 million incidents of scan avoidance at both manned and self-checkouts at supermarkets and retailers in the U.S. and around the world. Incidents include “sweethearting”, when cashiers pretend to scan merchandise but deliberately

TWO MILLION ATTEMPTS of POS Checkout Theft Detected When StopLift detected its 2 millionth incident of scan avoidance at a Piggly Wiggly, the supermarket’s owner knew that cashiers were either stealing or failing to scan items, costing his supermarkets major losses. Chris Ajlouny, owner of 11 Piggly Wiggly supermarkets in the Birmingham, AL area, did not tell any employees at his stores when he installed StopLift, so that he could see the extent of scan avoidance. In the first week, he saw three cashiers steal $400$500 at a time, sliding groceries around the scanner and later getting “kickbacks” from the customer. One cashier admitted to getting kickbacks outside the store and was fired. “I’m amazed that we were the 2 millionth incident,” Ajlouny said. “The system has accomplished a lot. As long as we keep stopping these people, it’s excellent. I wouldn’t open a store without having StopLift installed.” Now he shows new employees videos of scan avoidance from his “smart cameras” to deter them from both stealing and negligence at the checkout. Theft has also been deterred in the supermarkets’ receiving areas. “My cashiers know they are being watched,” Ajlouny said. “They see their performance on video. StopLift keeps an honest person honest and makes a dishonest person honest.” PointofSale.com | Security ‘17 | 14

bypass the scanner, thus not charging the customer for the merchandise. The customer is often a friend, family member or fellow employee working in tandem with the cashier. Some of Ajlouny’s cashiers need retraining. The managers see the reports of all the cashiers, and now everyone works harder to give their respective stores the best record for preventing scan avoidance. “There are barely any mistakes anymore,” Ajlouny said. “It’s working great as a deterrent to stealing and careless scanning.” He said that one of Piggly Wiggly’s popular sales is “Pick 5” in the meat department. Prior to StopLift, cashiers frequently omitted scanning some of the items, whereas now the system knows if all five are scanned. Malay Kundu, founder and CEO of StopLift, said that Scan-It-All™ visually determines what occurs during each transaction to immediately distinguish between legitimate and fraudulent behavior at the checkout. As soon as a scan avoidance incident occurs, StopLift, which constantly monitors 100% of the security video, flags the transaction as suspicious. It quickly reports the incident, identifying the cashier or customer and the date and time of the theft. This includes incidents which may be due to mistakes by the cashier or customer at self-checkout as well as items left in the shopping cart. The technology eliminates costly, time-consuming human review of video, and drastically reduces and deters fraud at the checkout.

CONTINUE READING ON POINTOFSALE.COM

YOUR 8-POINT CHECKLIST TO SECURING YOUR E-COMMERCE PLATFORM

How You Can Benefit From Using a POS Consultant So, you’ve decided to make point of sale

technology an integral part of your business—what do you do now? The holiday rush is upon us, and consumers continue with their shopping sprees well into the new year. However, hackers will also have a field day trying to profit from all this holiday traffic. The best approach to a security threat is to be proactive, to reduce the likelihood of being attacked, and to reduce the impact, should there be any. The second half of the year saw more than 500 million data records compromised by security threats. One of the more recent security hacks happened just this October with a DDoS attack on internet management company, Dyn. It’s even more worrisome when the compromised targets involve financial systems and personal records. The truth is this: Data breaches, DDoS attacks, malware, and other security breaches are always going to be there to challenge any system. The best action is to take a proactive stance toward securing your systems. When there is due diligence towards security, it discourages or slows down hackers from targeting your organization. Ready for the holiday rush? This year, NRF Research projected holiday sales to increase by 3.6 percent to $655.8 billion. In the same research, online sales are forecast to grow by 6 to 7 percent from last year’s number to $117 billion. If you want a piece of that pie, it’s not only time to ramp up your marketing efforts. It’s also important to get aggressive in protecting your systems, your brand, and most important, your customers’ trust. CLICK HERE to read a checklist on what you should do to ensure all systems are “go” during the holiday rush.

​ e recommend that you talk to at least W three local specialists in Point of sale. These specialists are also known as VARs, or Value-Added-Resellers. VARs often provide services including equipment installation and setup, software and menu configuration, connecting your POS system to a payment processor, and transferring data from your old system to the new one. Then they can train your staff so that the pain associated with switching to a new system is minimized. Why use a VAR? Because your staff is already working at 100% of capacity. Setting up a new system takes dozens of hours for a single store, and much more than that for a multi-store operation. A VAR w ​ ill also often provide ​ongoing​ maintenance and technical support.​ ​ ​ onsulting an expert in POS technology C can save you time and money!

PointofSale.com | Security ‘17 | 15

TOP 4 TIPS

for Retailers to Secure their Sites We found evidence of this in Veracode’s most recent State of Software Security (SOSS) Report, which pulled together insights from code-level analysis of 300,000 application security assessments. Our research found that 62 percent of applications in the retail and hospitality industries did not pass security tests on their first try. And even after those issues were discovered, only 67 percent of the vulnerabilities discovered were fixed, leaving sensitive consumer and business information out in the open for hackers. by Tim Jarrett, Senior Dir. of Security, Veracode Imagine being in the midst of the holiday season and opening an anonymous email claiming to have captured data from hundreds of thousands of customer records, which will be released unless you pay up. Although it is better than waking up to find that the records have already been published on a dark web black market, it is still one more IT problem to deal with during the already overwhelming holiday season. Last year’s Black Friday online sales hit a new record of $3.34 billion—the first time it broke the $3 billion mark—according to Adobe Digital Insights. For IT teams at retail organizations, this means constantly having to keep up with the flood of traffic, in turn often overlooking security in the process. Put simply, the holiday season is not just busy for the average shopper. Working on holding together new pages and applications or devoting extra resources to mission critical applications like payment authorization tools and shopping carts can be a lot of work. All the moving parts make it easy to slip up on security, in turn, putting both the company and its customers at risk.

The biggest issue for the retail and hospitality industry was poor code quality (69 percent of applications), which often results from poor coding practices like improper use of resources, in turn leaving applications vulnerable to denial of service (DOS) attacks. More troubling were the cryptographic issues. For example, the use of cryptographic algorithms broken by attackers or failure to properly secure Internet communications, possibly allowing attackers to steal credit card data or credentials. These cryptographic issues affected 68% of applications in this industry. Although after years of effort to combat SQL Injection vulnerabilities, which allow an attacker to change or steal information from a database, this issue still affects one out of every three retail applications. Although simple to fix, unfortunately these kinds of vulnerabilities are easy to overlook in the rush to build and deploy more apps in time for the holidays. To avoid negative outcomes that may come from an overlooked flaw, it is important for developers and security teams to work together early in the development process to prevent or fix vulnerabilities before they put others at risk. CLICK HERE to read some general tips to help keep websites safe this holiday season and beyond.

PointofSale.com | Security ‘17 | 16

EMV Turned Two, Continues to

PRODUCE FRUSTRATION AMONG CONSUMERS

by Henry Helgeson, CEO of Cayan It’s hard to believe that two years have passed since U.S. retailers began accepting chip card payments. What started out as a mandate to avoid certain fraud liabilities, caused major headaches for both retailers and their customers. Shoppers either encountered checkouts that did not yet accept chip cards (often advertised via eyesore sticky notes fastened to the point of sale), or were forced to endure unreasonably long times while their chip card payments processed. As these waits - and lines - grew, retailers were losing money. We calculated that with upwards of 26.2 billion credit card transactions annually, businesses lost 116 million hours per year to slow EMV. So now, at the two year anniversary, it would be natural to think that the problems facing EMV adoption and processing would have been resolved… sadly, no such luck. We recently conducted an independent study of 1,000 consumers and 500 small to midsize retailers about their experience with EMV, and were surprised to learn that merchants still have work to do to meet consumers’ expectations. According to our new study, consumers continue to be frustrated for two principal reasons. The first: frustration. The majority of shoppers want to pay with their chip-enabled debit/credit cards and become irritated (naturally) when they find out they cannot. Our research also found that only two in

three retailers currently accept EMV. What’s even more surprising is that despite the mandate, 38 percent of those retailers who do not accept EMV think it’s not necessary to do so. Whether the barrier is a matter of cost or the perception that implementation is too complex, the reality is that every merchant should now be EMV compliant - not only to avoid fraudulent chargebacks, but to also deliver a fast, simple and stress-free checkout experience that customers expect. The second frustration: speed…or rather, the perceived lack of it. Despite the fact that chip card transaction speeds have generally improved (the average transaction takes around 11 seconds), our study found that shoppers still feel like it just still takes too long. Twenty-six percent of consumers estimate they wait half a minute or more for a transaction to complete, while another 22 percent report wait times of up to 20 seconds long. The fact is that no one likes to be made to wait - consumers have long memories and they are not willing to wait in line for what seems like an eternity. The next time they walk into a retailer where they’ve already had a bad experience and they see a long line, they may turn right around and walk out. CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 17

Point-Of-Sale Attacks Still Going Strong

BUT THE REASON ISN’T WHAT YOU THINK

by Gregory Grant, Phoenix Managed Networks While many organizations have become aware of the dangers that lurk because of cyber criminals, Point-of-Sale (POS) systems remain a tasty target for attackers seeking payment card and other sensitive data. Just look at the research: the 2016 Verizon Data Breach Investigations Report, which examines over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries, revealed that POS attacks accounted for thirty-two percent of all incidents and sixty-four percent of breaches, where data was stolen last year alone. When you add up the dollars, this is quiet significant. Even after the wake-up call that retailers received in 2014 when POS systems for some of the biggest names in retail were hacked, POS attacks continue to occur, but why? And why is it that most of the victims are PCI compliant and have monitoring tools in place that should have identified those threats before they became a full-blown attack? There are a couple of reasons this happens. The Problem Isn’t Entirely the POS System The issue arises because most businesses aren’t considering the fact that POS systems are just one link in the chain. They are largely leaving their networks vulnerable because once they hear the word “compliant,” many assume they are also secure. Time and again, we see that it isn’t the POS system that gets

directly attacked, it is everything else on the network that leads to the POS system or more importantly, to the back office computer that is connected to the Internet and moving the electronic payment and other types of critical data. The bottom line: compliant doesn’t equal secure. There are multiple ways a hacker can access a network along with countless tactics they’ll use in doing it. For example, I was recently talking with an executive from a company whose system was compromised through the remote access service they use, within their POS software, to manage retail locations across the country. A hacker figured out a way to get into that remote component of the POS system and hacked a number of retail locations. There are dire consequences with this type of attack. The card brands that make up the PCI DSS body look at this situation and say, “card data is card data. Whether it was encrypted or not, that business still allowed information to be stolen.” Over forty percent of businesses don’t survive an initial breach due to the shear financial strain on the organization. They are often restricted to cash payments, face insurmountable fines and must recover from significant brand damage. Set It and Forget It: Not so Fast The second problem is one of sheer resources and understanding. Simply putting tools in place to identify threats doesn’t mean a business is protected. CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 18

RETAILERS CAN WARD OFF HACKERS WITH POINT-TO-POINT ENCRYPTION TECHNOLOGY leave cardholder data vulnerable for a split second before encryption. These software-based terminals relying on encryption software to protect payment card information are generally called “end-to-end” encryption. While end-to-end encryption still leave data vulnerable, more secure technologies encrypt data to ensure that payment card numbers are never accessible in a plain text, un-encrypted, format. These “point-to-point” point of sale terminals encrypt data through their hardware removing the opportunity for hackers to capture card data. Once the card is swiped at the card reader, it is delivered directly to a third party payment processor’s environment— no card data is ever stored in plain text on the retailer’s system. by Sue Yi, Beazley Breach Response (BBR) Services Credit card breaches at retailers have become a regular and accepted occurrence over the past few years. Companies of all sizes that process credit card payments are vulnerable and organizations are looking for the best way to protect themselves, and their customers. Improved technology for point of service devices, along with common sense security measures, can greatly improve security and reduce opportunities for hackers. Hacking and malware remained the leading cause of data breaches in the retail industry through the third quarter of 2016– accounting for 53% of data breaches - according to the latest Beazley Breach Insights report. Retailers need to process transactions, and hackers aren’t going away, making increased security an imperative for all retail businesses. Let’s get to the point The solution to persistent hacks against retailers can start with the devices customers use to complete credit card transactions. Point of sale systems come in several forms and the most common used systems

The point-to-point technology is preferable to software encryption that still leaves points of vulnerability between systems. In addition, costs for qualified a security assessor, if needed, can be lower if a company employs a payment card industry approved point-to-point encryption system. Not just money is on the line The costs of credit card breaches can increase exponentially over time. Target, one of the first national retailers to fall victim to a sizable credit card breach, at one point estimated their direct breach-related costs at $252 million. Expenses included digital forensics investigation, legal counsel, credit monitoring offerings, increased staffing for their customer call center, regulatory defense and ongoing litigation. However, this figure does not include any related loss of sales or diminished consumer reputation following the breach.

CONTINUE READING ON POINTOFSALE.COM

PointofSale.com | Security ‘17 | 19

Positioning Value-Added Resellers As

TRUSTED SECURITY ADVISORS By Nicole Bryan, Sterling Payment Technologies Everyone has skin in the game when it comes to security within the payments ecosystem. Consumers need their account information protected to avoid fraud, merchants need to safeguard all data they collect to avoid liability for breaches, and payment processors need to avoid payouts fraudulent losses. With a growing focus on EMV and mobile transaction processing as a means of boosting payment security nationwide, the ability of a value-added reseller to highlight how they can help merchants navigate the new security atmosphere is crucial. VARs would be wise to put their best possible foot forward when it comes to positioning themselves as security experts who can help their clients adapt. Where to Begin? The good news for VARs is that most merchants now have at least some familiarity with the ways in which the payment processing industry is shifting toward a more secure position. The 2015 EMV liability shift did a lot to kick-start a mass migration toward this type of payment processing. This occurred at the same time as broadening availability of mobile payment technology helped NFC purchases catch on with a small but ever-growing number of merchants and consumers. With this in mind, perhaps the best way for VARs to highlight their security expertise is to take some of the burden off their merchant clients. With hundreds of thousands of merchants nationwide having already made the switch to newer and more secure payment technologies, or positioning themselves to do so in the near future, there are likely to PointofSale.com | Security ‘17 | 20

be plenty of questions about the best ways to meet PCI compliance standards and otherwise step up payment security. That’s where VARs can help: While merchants typically do not have much - or any - familiarity with how to both meet and maintain industry security standards, VARs do. Therefore, positioning themselves as a kind of IT department and advisor on all related security matters, on an ongoing basis, can go a long way toward building that kind of trust. What Do Merchants Want? When they undergo the necessary EMV or mobile upgrades involved with taking the next step in security, merchants - regardless of their size or industry - typically want things to be as simple as possible, according to Webroot. The problem some of these businesses face, however, is that some VARs do not always have a novel, helpful approach to ongoing security not only of each transaction, but the overall point-of-sale systems companies rely on. For instance, while antivirus and anti-malware systems are obviously a must for protecting POS devices and systems as a whole, some VARs do not often prioritize the latest and greatest options to protect those platforms. While merchants themselves may want to maintain a sort of “set it and forget it” attitude toward these kinds of protections, resellers simply cannot allow that to happen. Being proactive, and regularly updating security measures, scanning for threats as quickly and effectively as possible is a great way for any VAR to stand out from the competition. That, in turn, increases both security and satisfaction among clients. CONTINUE READING ON POINTOFSALE.COM

Could Blockchain Technology

Solve the Data Security Crisis? by Alastair Johnson, Founder and CEO of Nuggets First, the bad news And it’s pretty bad. But don’t panic – there’s good news coming too. Right now, data security is in crisis. A better word might be meltdown. What was an emerging problem only a few years ago has blown up into the greatest fear of online shoppers, and the single biggest headache for businesses. Data breaches have become almost daily news. And some of them are truly vast. An escalating crisis Earlier this year, hackers stole the details of 143 million Americans from credit monitoring firm Equifax. Those details included home addresses and Social Security numbers – gold dust for identity thieves. Of course, the biggest breach of all time (so far) puts even Equifax in the shade. In 2016, Yahoo finally admitted that all three billion of its customer records were breached when it was hacked in 2013. It’s a problem that has been growing exponentially in recent years. In the first half of 2017 alone, almost two billion customer records were compromised, according to digital security firm Gemalto. The same article reported a 164% increase in stolen, lost or compromised records over the previous six months. This is clearly bad news for consumers, who can lose valuable payment and identity details. It’s also extremely bad for any company that has to store its customers’ personal information. A bill in the billions These huge central silos of data are obvious targets for cybercriminals. But they’re also vulnerable to self-inflicted accidents. A 2017 report by insurance group Beazley found that while 34% of breaches were the result of hacking or malware, almost as many – 29% – were down to ‘unintended disclosure.’

Criminal or accidental, the risks to customer loyalty are obvious. If a merchant can’t be trusted with your credit card details, you’re much less likely to buy from them. But can we put a number against the cost of these breaches? A recent study by CGI and Oxford Economics aimed to do exactly that. They studied 65 companies affected by cyber security breaches since 2013, and found that such breaches permanently damaged share values. Their report estimated the total cost to those 65 company’s’ shareholders at over $50 billion. That’s an average loss of almost $770 million. In 2016, the cost of card and identity fraud was $16 billion in the US alone. This is partly because such fraud creates additional losses beyond the money directly stolen. For every dollar US merchants lost in card fraud in 2016, they lost an additional $2.40 in chargebacks, fees and replacing merchandise. The measures taken to stop such crime can end up costing even more. In 2015, ‘false positives’ (legitimate transactions mistakenly declined as fraud) accounted for almost $118 billion of losses in the US alone. Again, the longer-term impact on customer loyalty is also dramatic. Almost 40% of cardholders who suffered a false positive decided to abandon that card. Convenience vs fear No wonder today’s consumers are caught between their delight at the convenience of e-commerce, and their fear having their payment and identity details stolen. A 2015 survey found that the potential theft of personal data was online shoppers’ biggest concern – cited by 70% of respondents. CONTINUE READING ON POINTOFSALE.COM

THE SAFETY NET OF AN ASSET MANAGEMENT SYSTEM By Brian Sutter, Wasp Barcode When you’re a business owner, you can never be too careful with your investments—especially those that are integral to keeping business moving. Fixed assets—the long-term pieces of property used in the production of income—are typically some of the biggest investments on the balance sheet. They include everything from laptops and printers to vehicles and heavy machinery.

ry off hard-to-reach shelves. The point being, your employees likely interact with your assets a lot. And because of that—even though we’d like to think that we hire only the best people, people that we trust not to do our business harm— the unfortunate truth is that our assets often go missing.

And if you buy these assets with the intention of keeping them for more than a year, as is standard, they’re probably important enough that you’ll want to keep an eye on them.

Sometimes, a missing asset is the result of an honest mistake—say, by leaving a laptop or device at a job site overnight by accident. But according to a 2016 Global Fraud Study, asset misappropriation was by far the most common form of occupational fraud, with a median loss of $125,000 per scheme.

Yet when it comes to fixed asset tracking, many small business owners are remarkably cavalier: According to the 2017 Wasp Barcode State of Small Business Report, 55 percent of small businesses don’t track assets or use a manual process to do so.

While some of these “schemes” include check tampering and cash larceny, others include asset requisitions and transfers or plain misuse.

In a world where almost everyone and everything has some kind of information in the cloud, it’s hard to believe that some businesses out there are still using a pen and paper when auditing their assets, or, even more unbelievably, just guessing at what they have, where it is, and what condition it’s in.

Occupational fraud is clearly always going to be a risk when going into business, no matter how careful you are in your hiring and workplace practices. But one surefire way to cut down on the instances of misappropriation is to use a system that adds layers of transparency and accountability to the use of fixed assets.

Keeping your assets secure means knowing where they are to begin with. If you’re one of these SMB owners that admitted to not tracking your company’s assets, but still say you pride yourself on your security, or transparency, or accountability, you’re a walking contradiction.

Automated fixed asset management systems can keep digital records of when an asset was last checked out, by whom, and for what purpose. These records can be used to keep people honest, as well as to help track down assets that have gone missing due to forgetfulness.

If you’re reluctant to take the plunge, here are some important perks of investing in an asset management system that you might not have considered:

The benefits to this are twofold: One is, of course, that you won’t lose valuable investments due to employee misappropriation. But the second is an issue that can continue haunting your business well after the initial loss.

Asset management systems keep your assets safe The fixed assets your company buys are often used by your employees on a daily basis. Maybe it’s their computer or laptop, or a mobile device like a barcode scanner or wearable tech like a smart watch. Maybe it’s a company vehicle, like a truck used to transport orders, or a drone that helps pick invento-

It prevents “ghost assets” from haunting your business A ghost asset is a fixed asset that is on the books but can’t be found in real life. CONTINUE READING ON BARCODE.COM

PointofSale.com | Security ‘17 | 22

WHAT YOU DON’T KNOW ABOUT DATA SECURITY AND YOUR POS

by Larry Fiel, VP, Marketing, PDQ Signature Systems Amid the array of acronyms that represent the data security standards put forth by the Payment Card Industry for vendors who develop payment applications and merchants who accept and/or store credit card data are the co-mingled responsibilities for safeguarding consumer transactions. Understanding exactly what these standards mean and how best they can be adhered to can be the difference between sustained business growth and the erosion of financial assets and customer confidence in your restaurant. The goal of this article is to provide you, the restaurant owner, with an educational overview of what is required—and needed—to properly, securely and compliantly protect your business, employees and valued customers from all forms of cyber-crime. PCI DSS Enacted in unison by the major credit card companies, Payment Card Industry Data Security Standards (PCI DSS) encompass a wide range of security requirements that card-accepting merchants need to fulfill. Non-compliance of PCI DSS can result in chargebacks, fines and penalties—including loss of card use. PA DSS PA DSS—or Payment Application Data Security Standards—are PCI-mandated regulations for software vendors who develop payment applications that store, process or transmit payment cardholder data. PCI Compliance as a Partnership In short, these standards mean that your POS provider must be PA DSS compliant and you—the mer-

chant—must be PCI DSS compliant. Most often, however, there is a “hard” line between what your provider needs to do and what you need to do to achieve compliance. Some POS companies leave the arduous task of becoming PCI DSS compliant fully up to the merchant by offering self-serve information. Others utilize a third-party security provider to piecemeal a “solution” that is often less than what is required for full compliance. But the best POS providers innately understand that data protection is integral to a merchant’s success and, accordingly, work with the merchant to ensure the data integrity of his/her business. The process of proactively assisting a business owner in becoming (and remaining) PCI compliant is an opportunity for a POS provider to demonstrate committed value. A provider who treats compliance as a partnership is likely to treat all business initiatives as goal-centered endeavors that help solidify longterm relationships. PCI DSS for POS Providers? PCI DSS compliance is not just for merchants! PCI DSS compliance also applies to companies that provide services that control or impact the security of cardholder data, including POS providers and managed service providers that provide firewalls, intrusion detection services, etc. PA DSS “Out of Scope” “Out-of-Scope” is a process that completely separates the POS from card data. When out of scope, the POS transmits transaction details to a PCI certified device, which securely captures card data, communicates with the merchant’s payment processor, and then passes a response back to the POS. Since the POS never receives sensitive cardholder data, it is out of scope for PA-DSS requirements. Because an outof-scope solution isolates the POS, it also frees the POS provider from being PA-DSS compliant. However, there are some POS providers that leap ahead of their competitors by being out-of-scope AND gaining PA-DSS compliance. These elite few adhere to software development best practices to build a better product with enhanced product integrity. CONTINUE READING ON POINTOFSALE.COM PointofSale.com | Security ‘17 | 23

3 THREATS TO YOUR POS SOFTWARE ...and how to deal with them By Colin Kennedy, Iron Road Point-of-sale software users - particularly smaller to medium operations - need to be aware that there are three critical issues that could threaten the security of their businesses; ransomware attacks, mobile payments and confidential data.

develop a strategy for how they will transition because it’s often at moments of transformation that we’re the most vulnerable to mistakes that could lead to issues down the road. ‘What some of those might be is still evolving,’ Lees said.

Independent retail software expert Stu Lees says that in his experience the corporate users of POS software do a good job with security, but smaller operations lag when it comes to both awareness and appropriate security measures.

Customer data The third important issue is storage and security of private customer data. ‘If your systems are not secure and your computer gets stolen, you may have just handed over thousands of your customers’ home address details stored on the PC.

Ransomware ‘I have encountered three retailers just recently who were hit by ransomware because a staff member clicked on a link they shouldn’t have. ‘Ransomware attacks - where malicious parties encrypt the data on your computer until you pay them to free it - are on the increase. All three of these retailers were semi-crippled for more than a day.’

‘Security of data is not much of an issue if you’re using a cloud-based point-of-sale system. However, your user security must be on point. If a staff member leaves and you don’t remove their login rights, they could go home and access your data for malicious or competitive reasons,” Lees said.

Lees said ransomware attacks don’t just happen. They result because a staff member was tricked into clicking on a link. Retailers using a cloud point-ofsale system like Vend, for example, their point of sale systems are safe, but the computers themselves are no longer usable. Mobile payments While corporate companies worry about whether or not they have to Payment Card Industry Data Security Standard (PCI DSS) compliant, smaller business is for the most part not paying much attention to mobile payments. ‘Smaller retailers will be able to leverage their EFTPOS (electronic funds transfer at point of sale) terminal providers for security. ‘The bigger issue, and it’s less one of security, is selecting the suppliers who are most compatible with your customer demographic. For example, Strip, Google or Apple. ‘The mobile phone is going to replace the wallet, and retailers need to be aware of this and begin to PointofSale.com | Security ‘17 | 24

Three tips to help secure your POS system 1. Implement best practise configurations: Lees said every retailer, no matter how small, should have a good IT service provider who can professionally install security software and apply a best practise security configuration to the system. ‘Make sure your IT systems are regularly inspected by a professional. Downloading security software from the Internet won’t cut it,’ he said. 2. Staff awareness and education Making your staff aware of the dangers of ransomware, and educating them in how to recognise threats will go a long way to mitigating the threat of ransomware. 3. Systemise user security Ensure there are process and procedures in place for protecting your POS systems when a staff member departs. ‘Don’t trust anybody. The moment a person departs, for whatever reason, make sure that they can no longer access any of your systems,’ said Lees. •

WHAT RESTAURANTS NEED TO KNOW about EMV Compliance

By Brad Kime, SVP of Channel & Alliances, Upserve We all witnessed the change from swiping to inserting our credit cards two years ago, but that transition is ongoing. Small businesses, and restaurants in particular, can be wary of adopting EMV technology for myriad reasons, including cost, process, and the pressures of adopting new technology. However, one concern stands out above the rest—security, and rightly so. With countless data breaches surfacing in the news every day, and consumers on edge about their information’s safety, every small business should be critical about the new technologies they adopt. It’s no wonder some restaurant owners haven’t moved to EMV compliance yet. As an advisor to your restaurateur customers, it’s important to be informed on this topic and to acknowledge that reluctance to the change is understandable, but that EMV cards were introduced as a way to make mobile payments more secure. Indeed: they are quickly becoming a global standard for all payment and processing. And, with card security continuing to be a concern in restaurants, the shift to EMV compliance isn’t just a “nice to have” for restaurant POS systems – it’s on its way to becoming mandatory. We’ve gathered information on common EMV security concerns from restaurants, so that you can help your customers make an informed and wise decision about compliance. The Chip The most common concern surrounding the switch

to EMV is security within the chip. Restaurateurs are worried that the new technology may not be as secure as the traditional swipe card. Here’s what they need to understand: Whereas existing magnetic stripe technology continues to be prone to hacking, embedded chip cards are much safer, with near-impossible encryption to prevent against counterfeiting. Data is actually more secure than on a magnetic stripe card because EMV supports dynamic authentication. This means that the card has an ever-changing password of sorts encrypted within, making it vastly more difficult for hackers to access and copy the data. The United States is one of the last nations to adopt EMV technology, which is surprising considering how global credit card fraud has dropped significantly since worldwide implementation. Liability While the chip is the most visible change, many restaurateurs are also concerned about who the liability will fall to should there be fraudulent charges on their new EMV payments system. Prior to EMV, credit card issuers were responsible for the liability in fraudulent chargebacks from customers. But, the liability ownership changed with the deadline for compliance. Now, should an EMV chip card be swiped as opposed to dipped, and concurrently a fraudulent chargeback is claimed, the business is liable for chargebacks above $25. If, however, you have an EMV reader, then the liability shifts back to the card issuer, and this remains true even if the chip is damaged. CONTINUE READING ON POINTOFSALE.COM PointofSale.com | Security ‘17 | 25

POS

We appreciate the support of our sponsors!

Software

PointofSale.com | Security ‘17 | 26

SUPPLIERS Hardware

Supplies

Payments

PointofSale.com

is pleased to host a growing library of FREE ebooks & white papers. Click here to access >>

PointofSale.com | Security ‘17 | 27

IS IT TIME TO UPGRADE YOUR POS SYSTEM? SUBSCRIBE free

Sign up to receive our newsletter, magazine, or both!

Click below to sign up to have the latest news from the Point of Sale Industry delivered right to your inbox! Options are daily, weekly, or monthly.

SIGN UP NOW A new point-of-sale system can pay for itself in a year or less when you consider the ROI from a Loyalty program, better inventory control, faster checkout, detailed customer analysis and all the options that are available. If you’re considering a new system, click here to fill out this form (takes about 1 minute), and we will recommend one to three POS systems based on your specific business needs. It’s free and easy and there’s no obligation. Please allow 24 to 72 hours for us to answer, as this is done manually by real people with decades of POS experience. :)

Click here to get a POS system recommendation.

ADVERTISE WITH US

Reach 100,000+ readers each month who utilize these websites for POS news and information: • POS-Advice.com - 100% focus on restaurant point of sale • POSforum.net - a POS support forum where users share information and answer tech questions for various products including Oracle/Micros and Aloha - free. • Restaurantsoftwarelist.com - A list of technology solutions for restaurants and hospitality. Find developers, manufacturers, resellers and payment processors.

GET MEDIA KIT Virtual Headquarters

PointofSale.com | Security ‘17 | 28

The Point of Sale NewsTM Lakewood Ranch, Florida, USA editor@pointofsale.com www.PointofSale.com

POINT-OF-SALE CASE STUDIES Customer Expectations for On-the-Go: Mobile Ordering Winery Point of Sale - Martha Clara Vineyard Case Study 100 Assorted Point of Sale Case Studies How Niche Retailer BeachRC Used Square to Expand to An Online Store and Amazon Great Food Flies Faster At Rich’s Burgers-N-Grub Omnichannel Ordering Delivers at Taziki’s Café POS Advice From Three Hospitality VARs 25 Restaurant Point of Sale Success Stories Touchscreen POS Technology Gives Jewelry Shoppers More Options Amsterdam Coffee Roaster Brews Better With New POS System The Grocery POS Revolution Will Not Be Televised Guitar Sanctuary Experiences 100% Lift in Average Order Values by Offering Quick Financing Salsarita’s Fresh Mexican Grill Uses Cloud Point-of-sale to Simplify Daily Operations Lunchtime Line-Busting for a Cause:Point-of-sale Inside The Box Cafe Italian Restaurant Thrives With Mobile Point of Sale POS At The Table: Calming the Chaos with OrderPads Premiere Wilderness Outfitter Quadruples Conversions With Celerant SEO New POS system creates a stronger brew for coffee shop! POS Software Helps Coffee Company Expand to Retail Locations Case Study: Mobility Revolutionizes the Warehouse: A First-Hand Experience Team Sports Retailer Schuylkill Valley Sports Enhances Omnichannel Capabilities Case Study: Delancey Street and Posiflex Position Residents for Success Case Study: Lou’s Brews and BBQ Consignment Store Point of Sale:Case Study Ballpark Boosts Sales With Real-Time Payment Solution Celerant Technology Simplifies ATF Compliance for Barneys Police Supply Retailer Combines Physical Store and E-Commerce Site with one POS system Point of Sale for Aerial Adventures Case Study: Optical Retailer Switches Focus from Paper to Cloud Case Study: POS Software For A Brewery Celerant Point Of Sale System Wins Big In Vegas LOC Store Management Suite (SMS) Improves Service and Efficiency at Bruce’s Foodland Stores Barcodes & Mobile Computing: A Breath of Fresh Air for Family Respiratory Case Study: Candy Store Manages Growth With RMS Case Study: Custom Product Labels with Epson’s SecurColor Printer For GEMFormulas Natural Remedies Web-based POS Offers Online Backup for Homebrew Distributor Karate Studio Overcomes Payment Processing Headaches With Intuit PaymentNetwork LightSpeed iPad POS Carves For Success at Saturdays NYC Intermec CS40 Handheld Mobile Computers Selected for Passenger Assistance Food Traceability Solution for LoBue Citrus Zebra Portable Printers and Motorola Handhelds Streamline Gasoline Delivery for McMahon Cartage Drivers POS Prophet Systems Gets Sales Rolling For Ciggys4Less Case Study: Using Barcodes to Track Radioactive Pharmaceuticals Microsoft Point-of-Sale Software is Swiss Farms’ Solution Choice

How You Can Benefit From Using a POS Consultant Working with a Point-of-Sale Specialist who can visit your store, train your staff and install the equipment can simplify the entire process of computerization. A local POS specialist can coordinate the many tiny technical details that are involved with integrating equipment, software, payment processing - and also setting up your receipts, your menu screens and other items. The average dealership staff has decades of POS experience - bring that talent into your business by requesting a free demonstration or consultation from these local experts - and please be sure to let them know you found them on Pointofsale.com. Thank you. Alabama Trigger Technology Systems DCR Profit Control Systems Alaska Harbortouch of AK Arizona RedFynn Technologies AACS Restaurant POS Harbortouch of AZ Arkansas California LC Business Systems West Coast Business Equipment Custom Technology Inc POS Partners Harbortouch of CA CRS Solutions POS Highway Practical Business Solutions Southern Oregon Business Equipment Colorado DenverPOS POS Partners Connecticut Positive POS Harbortouch of CT Delaware BossTab Florida Tampa Bay POS QuickTouch For Retailers RedFynn Technologies POS Partners Meridian Star Trigger Technology Systems Harbortouch of FL AMS-Micros of Jacksonville Practical Business Solutions Georgia Priority1 POS

Harbortouch of GA Hawaii ProTouch Systems CompuTant Idaho Illinois DCRS Solutions POS Partners Harbortouch of IL Randall Data Systems Indiana POS Partners Iowa POS Partners Kansas POS Partners Garbled Bit Kentucky Louisiana Olaf Solutions Maine Maryland Massachusetts Harbortouch of MA Michigan Randall Data Systems Minnesota Mississippi Olaf Solutions Missouri DCRS Solutions Innovative Hospitality POS Partners Harbortouch of MO Montana POS Partners Nebraska POS Partners Nevada Harbortouch of NV

New Hampshire New Jersey Visual Retail Plus Custom Technology Inc POS Solutions Harbortouch of NJ Practical Business Solutions New Mexico New York Visual Retail Plus Manhattan POS MCR POS Systems Gotham Hospitality Solutions Diamond Data IPos NY POS Systems First Capital Business Solutions Harbortouch of NY POS Highway Practical Business Solutions POS.com North Carolina Southern Coastal Solutions Harbortouch of NC Randall Data Systems North Dakota Ohio Future POS Ohio Apex Solutions RedFynn Technologies Harbortouch of OH Randall Data Systems Oklahoma Oregon Harbortouch of OR Southern Oregon Business Equipment Pennsylvania Future POS of Pennsylvania ADI/Pomodo Tech

Harbortouch of PA Rhode Island South Carolina Harbortouch of SC South Dakota Dakota Retail Technologies Tennessee United Banc Card of TN DCR Profit Control Systems POSC Business Systems Texas Future POS Texas Dallas POS Systems ECR Systems Houston Point of Sale Solutions DCR Profit Control Systems Harbortouch of TX Randall Data Systems Utah Vermont Virginia Washington State RedFynn Technologies Information Systems and Supplies Harbortouch of WA West Virginia Wisconsin POS Partners Harbortouch of WI Randall Data Systems Wyoming Western Business Solutions Canada ACE POS Solutions Europe & UK Bluebird Global StoreKit

JOIN US ON SOCIAL MEDIA

PointofSale.com | Security ‘17 | 30

Copyright © 2017, Pointofsale.com Sarasota Florida. All rights reserved.