I recently read an article on the PointofSales Blog mentioning the latest report from Juniper Research. Experts have found that smartphone and tablet-based mobile point-of sale terminals will take on a significant role in businesses, handling 40% of all retail transaction value by 2021, up from an expected 12% in 2016. This made me think about the importance of the PoS and other payment card-reading devices.

This video doesn't need any comment. Imagine how much money can be stolen with a simple trick like that one. And if a shop doesn't use security cameras or if the recorded videos are not monitored constantly, imagine how hard it can be to find those criminals promptly enough.

A study from Payments UK - that we reported on a couple of weeks ago - shows how 2015 saw a significant fall in the use of cash in the UK. Less than half of the payments completed last year were made using cash. This is a trend that will continue over the next ten years. It is expected that only 27% of all payments will be completed using cash in 2025.

This trend should raise one major question among payment card users and business owners. How is payment card data going to be protected from a continuously growing number of attacks and frauds? And if we change the point of view to a business one, how can Merchants, Retailers, Franchisers and Service Providers protect their business and the data of their customers?

Point-of-Sales devices and more.

When we talk about PoS we are actually applying a generalization to identify the so called Payment Card-Reading devices or terminals used to accept payments from customers.

Although this terminology simplifies things, there are actually many devices that could potentially become under attack: Point-of-Sales devices, PEDs (PIN Entry Devices) and Standalone Dial-Out Teminals are some of the most diffused. But let's not forget that ATMs are sort of PoS too.

ATMs accept payment cards and customers enter their PIN codes in them, meaning that malicious users can easily case the loss of customers’ money by applying simple hacking techniques.

ZeroRisk PINpoint to protect PoS devices

Being a hacker nowadays is not that complicated. The required tools and material can be acquired directly online and with a little bit of practice, building the right skimmer is a piece of cake. Take a look at how Brian Krebs illustrates this important topic on his Blog and how many simple but effective attacks where successfully completed over the years.

Lastest attacks reveal a lot of work must be done.

The biggest mistake we can make is to apply half measure and undervalue the risks by thinking that the techniques used to attack PoS devices can be prevented with a few simple steps. Half measures won't do, criminals are clever and skilled!

Technology evolves every year, or even every day! In the last few months several attacks have been completed with success against major organisations.  For instance Walmart (an American multinational retail corporation that operates a chain of hypermarkets, discount department stores and  grocery stores) was recently breached. The video embedded in this article shows how the attack was completed. As we read in the article," according to security expert Brian Krebs, a convincing device like this one retails for as much as $300 on the black market".

Payment Card-Reading devices and terminals must be constantly monitored.

The only way to protect your business from this type of attack is to set up a continuous monitoring process. Follow the PCI DSS requirement 9.9 guidelines, simple rules that suggest how to protect payment card-reading devices in an effective way. Put in place a list of locations (stores, shops) and devices, inspect them and recurrently confirm their security status.

You can easily achieve this using spreadsheets, but that method will require a lot of time and manual work. Or you can take a look at ZeroRisk PINpoint and make this task extremely simple and accessible to anyone in your organisations.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA