4 Tips for Choosing a Secure POS System

Sarita Harbour, Business News Daily Contributor   |   April 07, 2014 10:16am ET |

credit cards in walletIf you’re serious about building a successful small business, you’ll need to choose a merchant account service and point-of-sale (POS) system to accept payments from customers.

The truth is that in today’s technology-driven world, cash-only businesses won’t cut it anymore. Customers demand fast and convenient payment processing for their credit or debit cards. At the same time, as the recent Target credit card breach shows, payment security for POS systems is critical in order to protect customer data.

So what should you look for when choosing your first POS? Experts provided these tips for small and medium-size business (SMB) owners.

Is the POS system PCI compliant?

The first thing to look for is whether your new POS system meets the required regulations for accepting credit cards. “Any business that accepts credit card payments for goods or services must be PCI compliant,” said Tony Ciccerone, a Detroit-based territory manager for Heartland Payment Systems. This means that in addition to following the Payment Card Industry Data Security Standard (PCI DSS) rules for credit card processing, your POS itself must meet PCI standards for merchants.

This is important because if your customers’ information is leaked, you could be on the hook for financial damages, even if your company uses PayPal or some other third-party service provider to process your credit card transactions, said Vikas Bhatia, founder and CEO of cybersecurity firm Kalki Consulting. “Make sure to ask your service provider for proof that they passed their PCI DSS evaluations,” he said.

Update and maintain purchased technology

Technology is changing rapidly, and credit card payment processing systems are, too. When you choose your new POS system, ask the service provider about the maintenance schedule. An outdated system may put your business and customer credit card info at risk for a security breach.

“If you do buy technology (security or IT), make sure it’s maintained appropriately by having antivirus and anti-malware software installed and updated regularly,” said Bhatia.

That includes your firewall. “Consumer-class routers that are commonly used in SMBs generally include a firewall; however, it needs to be configured correctly in order to protect your network,” Bhatia said. It’s critical that you change the default login and password on every network device you purchase, including your new POS system, he added.

“The most advanced firewall is worthless if it has the default login and password in place,” Bhatia said.

In addition to ensuring your POS software is up-to-date, it’s important to check the changing PCI compliance rules regularly, to make sure your POS systems meet them, Ciccerone said.

“Visa and MasterCard, for example, change PCI rules and regulations about once a year,” he said.

Isolate your POS systems

bigstock-Cafeteria-woman-pay-by-credit-33185807-25-.2-800x400When choosing a POS system, it’s also important to consider whether you can keep the system completely separate from the rest of your business technology.

“POS systems are often the weak link in the chain and vulnerable,” said Mark Bower, vice president of product management and solutions architecture for retail security tech provider Voltage Security.

Bower said POS systems often run a standard operating system and, therefore, are easy targets for attacks if they’re exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or — worse — from an insider.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems,” Bower said.

Encryption services and fees

With security being such an important issue in electronic payment acceptance, it’s important to understand the encryption options available for a POS system.

Encryption is the process of changing information into a form that’s unreadable except to holders of a specific cryptographic key, according to the PCI website glossary. Using encryption protects your customers’ payment information from unauthorized access until it’s decrypted with the key.

Ask the POS salesperson if the system in question requires separate encryption services. Keep in mind that encryption could require an extra monthly fee. Also ask if they offer a system with end-to-end encryption, which can simplify the process, thus saving you time and money.

“Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, addresses this risk by encrypting all the payment card data before it even gets to the POS,” Bower said. “If the POS is breached, the data will be useless to the attacker.”

Originally published on Business News Daily.