Archives
Overview
August 2008
July 2008
Online Strategies Summer 2008
June 2008
May 2008
Online Strategies Spring 2008
April 2008
March 2008
February 2008
January 2008
Online Strategies Winter 2008
December 2007
November 2007
Online Strategies Fall 2007
October 2007
September 2007
August 2007
Online Strategies Summer 2007
July 2007
June 2007
Perspective: Europe 2007
May 2007
April 2007
Perspective: Asia 2007
March 2007
February 2007
January 2007
Perspective Latin America 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
Perspective Europe 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004

PCI Compliance: Why POS Systems Make Retailers Vulnerable

By Bob Vieraitis

According to Gartner, four out of five data breaches are happening at point-of-sale (POS) systems. It is more prevalent now because POS systems are running newer applications that need to be updated frequently. Furthermore, today's POS systems run on commercial operating systems, where credit data is either stored on disk or in memory--making them an attractive target for hackers. It can be difficult to ensure these systems are compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The shift toward standardization, such as Unified Point of Sale in the retail industry, has enabled POS systems to become increasingly interconnected. It also has allowed for the use of off-the-shelf software on commoditized hardware running systems such as Windows XP Embedded and Linux. This provides flexibility for software selection, faster time-to-market and mid-cycle adoption of new technologies, but this flexibility has come at a potentially steep price--compliance challenges.

UNDERSTANDING THE REQUIREMENTS
The PCI DSS requirements that pose the greatest challenge for POS equipment and software are requirements 5, 6, 10 and 11. Requirement 5 states that you must use and regularly update anti-virus software. This is challenging because anti-virus software can be high overhead for a low-footprint POS system. POS system providers cannot jeopardize the availability of those systems by having anti-virus software constantly running, creating a drain on system resources.

Requirement 6 states that you must develop and maintain secure systems and applications. The key here is the word "maintain." It is difficult for POS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and put into production.

Requirement 10 states that you "track and monitor all access to network resources and cardholder data." POS systems today are highly networked, and monitoring exactly what is happening on those systems can be challenging.

Finally, requirement 11 requires that you "regularly test security systems and processes." Again, this can be challenging as POS systems are shipped through a dealer network and are put into production across many distributed retail locations.

A solution is change control software. Installed as a foundation of a POS system, it controls what software runs on the device, as well as what software is installed, uninstalled, upgraded or modified to the base software image once in production. Change control is low-footprint software that runs transparently on a POS system. The software acts as a "concrete wrapper" around the gold base image of a POS system to ensure the POS system in production is secure and cannot be compromised. And because any changes attempted by malicious code or unauthorized users are prevented, the need for anti-virus and other security software packages is eliminated.

Bob Vieraitis is vice president of marketing for Solidcore Systems Inc., an enterprise software company based in Cupertino, Calif. He can be reached at (408) 387-8400.

 
Copyright © 2008 Electronic Retailer. All rights reserved. Privacy Policy | Subscriber Services
Home | The Gold Book Directory | Archives | Subscribe | News & Events | Media Kit | About Us | Contact Us
Powered by MindFire