POS Security

According to Wikipedia Despite the more advanced technology of a POS system as compared to a simple cash register, the POS system is still as vulnerable to employee theft through the sale window. A dishonest cashier at a retail outlet can collude with a friend who pretends to be just another customer. During checkout the cashier can bypass scanning certain items or enter a lower quantity for some items thus profiting thereby from the “free” goods.

The ability of a POS system to void a closed sale receipt for refund purpose without needing a password from an authorized superior also represents a security loophole. Even a function to issue a receipt with a negative amount which can be useful under certain circumstances, can be exploited by a cashier to easily lift money from the cash drawer.

In order to prevent such employee theft, it is crucial for a POS system to provide an admin window for the boss or administrator to generate and inspect a daily list of sale receipts, especially pertaining to the frequency of cancelled receipts before completion, refunded receipts and negative receipts. This is one effective way to alert the company to any suspicious activity – such as a high number of cancelled sales by a certain cashier – that may be going on and to take monitoring action.

To further deter employee theft the sale counter should also be equipped with a closed-circuit television camera pointed at the POS system to monitor and record all the activities.

At the backend, price and other changes like discounts to inventory items through the administration module should also be secured with passwords provided only to trusted administrators. Any changes made should also be logged and capable of being subsequently retrieved for inspection.

The sale records and inventory are highly important to the business because they provide very useful information to the company in terms of customer preferences, customer membership particulars, what are the top selling products, who are the vendors and what margins the company is getting from them, the company monthly total revenue and cost, just to name some.

It is therefore important that reports on these matters generated at the administrative backend be restricted only to trusted personnel. The database from which these reports are generated should also be secured via passwords or via encryption of data stored in the database so as to prevent them from being copied or tampered with.

Despite all such precautions and more, the POS system can never be entirely water tight in security from internal misuse if a clever but dishonest employee knows how to exploit many of its otherwise useful capabilities.

News reports on POS system hacking show that hackers are more interested in stealing credit card information than anything else. The ease and advantage offered by the ability of a POS system to integrate credit card processing thus has a downside. In 2011, hackers were able to steal credit card data from 80,000 customers because Subway’s security and POS configuration standards for PCI Compliance – which governs credit card and debit card payment systems security – were “directly and blatantly disregarded” by Subway franchisees.[23]

In June 2016, several hundred of Wendy’s fast food restaurants had their POS systems hacked by an illegally installed malware.[24] The report goes on to say that “the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated” and that the “hackers made hundreds of thousands of fraudulent purchases on credit and debit cards issued by various financial institutions after breaching Wendy’s computer systems late last year”.

Again this exploit by hackers could only be made possible because payment cards were processed through the POS system allowing the malware to either intercept card data during processing or steal and transmit unencrypted card data that is stored in the system database.

In April 2017, security researchers identified critical vulnerabilities in point of sale systems developed by SAP and Oracle [25] and commented, “POS systems are plagued by vulnerabilities, and incidents occurred because their security drawbacks came under the spotlight.” [26][27] If successfully exploited, these vulnerabilities provide a perpetrator with access to every legitimate function of the system, such as changing prices, remotely start and stop terminals. To illustrate the attack vector, the researchers used the example of hacking POS to change the price of a MacBook to $1. [28] The security issues were reported to the vendor, and a patch was released soon after the notification.

In some countries credit and debit cards are only processed via payment terminals. Thus one may see quite a number of such terminals for different cards cluttering up a sale counter. This inconvenience is however offset by the fact that credit and debit card data is far less vulnerable to hackers, unlike when payment cards are processed through the POS system where security is contingent upon the actions taken by end-users and developers.

With the launch of mobile payment particularly Android Pay and Apple Pay both in 2015, it is expected that because of its greater convenience coupled with good security features, this would eventually eclipse other types of payment services – including the use of payment terminals. However, for mobile payment to go fully mainstream, mobile devices like smartphones that are NFC-enabled must first become universal. This would be a matter of several years from the time of this writing (2017) as more and more models of new smartphones are expected to become NFC-enabled for such a purpose. For instance iPhone 6 is fully NFC-enabled for mobile payment while iPhone 5 and older models are not. The aforesaid disastrous security risks connected with processing payment card usage through a POS system would then be greatly diminished.

source: https://en.wikipedia.org/wiki/Point_of_sale