PCI Compliance: Why POS Systems Make Retailers Vulnerable

By Bob Vieraitis

According to Gartner, four out of five data breaches are happening at point-of-sale (POS) systems. It is more prevalent now because POS systems are running newer applications that need to be updated frequently. Furthermore, today’s POS systems run on commercial operating systems, where credit data is either stored on disk or in memory-making them an attractive target for hackers. It can be difficult to ensure these systems are compliant with the Payment Card Industry Data Security Standard (PCI DSS).

The shift toward standardization, such as Unified Point of Sale in the retail industry, has enabled POS systems to become increasingly interconnected. It also has allowed for the use of off-the-shelf software on commoditized hardware running systems such as Windows XP Embedded and Linux. This provides flexibility for software selection, faster time-to-market and mid-cycle adoption of new technologies, but this flexibility has come at a potentially steep price-compliance challenges.

UNDERSTANDING THE REQUIREMENTS
The PCI DSS requirements that pose the greatest challenge for POS equipment and software are requirements 5, 6, 10 and 11. Requirement 5 states that you must use and regularly update anti-virus software. This is challenging because anti-virus software can be high overhead for a low-footprint POS system. POS system providers cannot jeopardize the availability of those systems by having anti-virus software constantly running, creating a drain on system resources.

Requirement 6 states that you must develop and maintain secure systems and applications. The key here is the word “maintain.” It is difficult for POS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and put into production.

Requirement 10 states that you “track and monitor all access to network resources and cardholder data.” POS systems today are highly networked, and monitoring exactly what is happening on those systems can be challenging.

Finally, requirement 11 requires that you “regularly test security systems and processes.” Again, this can be challenging as POS systems are shipped through a dealer network and are put into production across many distributed retail locations.

A solution is change control software. Installed as a foundation of a POS system, it controls what software runs on the device, as well as what software is installed, uninstalled, upgraded or modified to the base software image once in production. Change control is low-footprint software that runs transparently on a POS system. The software acts as a “concrete wrapper” around the gold base image of a POS system to ensure the POS system in production is secure and cannot be compromised. And because any changes attempted by malicious code or unauthorized users are prevented, the need for anti-virus and other security software packages is eliminated.

Bob Vieraitis is vice president of marketing for Solidcore Systems Inc., an enterprise software company based in Cupertino, Calif. He can be reached at (408) 387-8400.