POS Systems: Not as Safe as You Think


Point of Sale (POS) manufacturers may make every attempt for secured data on their systems, but once installed, they cannot be held responsible for how that data is shared. Many of the retail corporations around the world have aligned themselves with outside ‘partners’ for data sharing and this can open potential security breaches that place customer information at risk.

In South Africa, as the rest of the globe, purchase information is as valuable as gold. Data mining is big business and companies are paying a lot of money to see what the consumers are buying. Data is typically shared with a pre-arranged agreement allowing access and upload of specific fields from a POS system through an encrypted API (Application Program Interface) connection. Symantec, one of the main cybercrime companies, has developed a series of programs that work to protect the sensitive customer data that is held within POS systems. The high level requirement of such lockdown software is exemplified in the January, 2014 attack, where Symantec reported the exposure of over 105 million identities.

Standard information that is shared via a POS includes information about items purchased, cost, credit card number, cc expiration date, date and time of purchase. When combined with the demographics of the store, this gives marketing gurus the ability to monitor what sells and craft appealing programs for the consumers. While there isn’t any customer information on a regular POS, if the store offers a loyalty program, this opens the door for detailed consumer data. This data can include: name, address, phone number, email address. This additional information can now drill down so that specific and personal purchase information is shared. Unless otherwise specified in an agreement, this data now resides on a different platform, without the originating retailer’s control and may not be as secure.

Encrypted API may be the standard, but it is not always the case. While some companies transmit from each POS system on an individual basis, a majority have all of their data sent to a central server or even as cloud storage. Data transmission usually occurs at a pre-designated time in the middle of the night and since this is well-known by those that are professionals at data theft, they can design programs to intercept the data stream without interruption. Neither the originating environment nor the partner companies will be aware of the hacking, and the data is now available for sale.

Sharon Knowles, CEO of DaVinci Forensics says:

‘Part of the detailed analysis of DaVinci Forensics includes the examination of all aspects of a client’s data storage and sharing process. Additional security levels can be put into place to not only offer a ‘red flag’ alert, but curtail any outside access to customer information. The prevention of this form of cybercrime helps to ensure the security of customer data’

In today’s net communications and cloud storage, it is a high priority to establish a main line of defense against those that would attempt illegal access. This is an ongoing process as cybercrime perpetrators elevate the sophistication of their attacks. The loss of information is the first level impact, and follows with loss of reputation and trust. All South African companies need to join in global data security awareness and focus on an elevated state of diligence to avoid financial loss.