Suntoyo Singapore

Blog

BLANK
BLANK
BLANK

Building A Resilient Retail Business: How To Safeguard Your POS System

Contactless Payment

PART 1 – INTRODUCTION

As the owner of a retail store or F&B establishment in Singapore, your point-of-sale (POS) system is undoubtedly one of your most essential pieces of equipment and a significant driving force behind the long-term success of your enterprise. After all, it handles just about every aspect of your business, from processing payments to planning your employees’ work schedules.

However, your POS system’s versatile functionality makes it a prime target for malicious hackers, as it also contains sensitive information like customer addresses, account numbers, and emails. That is why modern POS systems are typically equipped with various security measures, such as encryption, firewall, and intrusion detection and prevention software, to protect your crucial data.

Despite these features, it is still up to you to ensure your whole system, from employee to network, is as secure as possible at the end of the day. All it takes is one slip-up for your business to be compromised. The fallout from such an attack can have devastating effects on your brand. So, let us explore the different threats to your POS system and what you can do to safeguard your customer data.

Learn More: The Ultimate Guide to Choosing the Best POS System for Your Business in 2024

PART 2 – COMMON THREATS TO YOUR POS SYSTEM

2.1. Overview Of Potential Risks

It can be easy to dismiss security threats to your business, thinking they will never happen to you. However, complacency can often leave the door open to criminal activities. Insecure networks, outdated software, the use of unlicensed and unsecured third-party integrations, and the theft of devices or passwords, sometimes through scams, can leave you vulnerable to attacks.

In fact, there have been numerous recorded cases over the past decade where several F&B and retail POS systems were targeted to obtain personal details or payment information. Therefore, it is essential for you to comprehend the potential threats your business faces so that you can understand how to safeguard your assets better.

Common Types of Threats Your Retail Business Faces 

Risk #1: POS Malware
Virus Detected

Malware attacks are one of the most common cybersecurity threats. Yet they remain challenging to detect. The infiltration can often go under the radar for months or years before the issue is noticed. By then, you could be looking at significant damages to your enterprise due to the security breach.

Here are some of the most common types of POS malware attacks:

1. Spyware

Any software can be classified as spyware if it is downloaded without the user’s authorisation. Once the malware installs itself onto your POS system, it invades your device, searching for sensitive information and uploading the stolen data elsewhere without the end user’s knowledge.

2. Trojans

Most Trojans are designed to take control of a user’s system, stealing data and inserting more malware on the victim’s device. This software can disguise itself as a legitimate programme, usually accessed via a file or email link, to con unsuspecting users into clicking and installing it.

3. Keyloggers And Skimmers

Specific malware (keyloggers) are designed to record and log every keystroke made on a computer or mobile device. This can be problematic. Your employees’ password and yours, not to mention any customer data you key into your system, could be compromised.

Meanwhile, skimmers are equally disruptive; they can be disguised to look like part of a card reader. When an unsuspecting customer swipes their credit card, the skimmer attachment will collect the card number and PIN code, which can then be replicated into counterfeit cards.

4. OAuth Hijacking

Open Authentication (OAuth) manages identities and secures online areas across third-party services. While this is a convenient way to offer users temporary and secure access tokens, it can also be used to attack retailers through third-party sites. For instance, if a customer can log in to their account with you through a third-party login, their user data can be at risk if your business or the third-party app is hacked.

5. Ransomware

When ransomware infiltrates your system, it can cut off your access to customer orders, computers, and emails. In recent years, an increasing number of ransomware programmes can even hold your business data hostage, with hackers threatening to release the information online unless you pay a ransom.

Risk #2: Hardware Tampering
A Person Paying Using A Credit Card at A Retail Store

Not all threats to your POS system are software-related. Criminals can interfere with your POS hardware, such as the card reader, to steal valuable data. With the prevalence of self-service kiosks in retail and F&B outlets, hardware tampering is becoming an increased risk for many business owners.

Risk #3: Brute Force Attacks
A Computer Hacker

Even with the latest cybersecurity updates and measures, cybercriminals remain undeterred in trying to steal your business data. Often, they rely on brute force attacks, which usually involve guessing your credentials to gain access to your POS system. Therefore, it is crucial for you and your employees to maintain strong passwords to minimise the likelihood of being hacked. We also recommend implementing restrictions on the number of login attempts.

Risk #4: Phishing
Concept Of A Phishing Attack

Phishing attacks generally involve scammers attempting to reveal valuable data, such as account numbers or credit card details, to transfer and retrieve money. Such malicious activities are even a common occurrence in our day-to-day lives. Examples include an email supposedly sent from a manager or director of a company asking an employee to click on a link to download malware or share sensitive information, like a login credential.

Risk #5: Employee Theft
Shoplifting

Not all threats to your business are external. In fact, employee theft is more common than you realise. 75% of employees admit to stealing from their workplace at least once, and half will steal repeatedly. The damage to your business could also extend beyond the loss of petty cash. Malicious employees may even work with criminals to compromise your POS system without your knowledge.

2.2. Examples Of Data Breaches Involving POS Security Compromises

Never underestimate the scale and impact of a POS security breach. You do not just have to deal with the immediate effects of restoring your operations. The loss of customer information can cause consumers to lose faith in your brand and take their business elsewhere. Not to mention the potential legal issues your enterprise could face due to the failure to protect sensitive data.

In fact, many of the most high-profile data breaches of customer payment information involving POS security compromises have resulted in the company paying millions in damages due to class action lawsuits. Here are a few examples from recent years.

Case Study #1: Target

The U.S. retail giant fell victim to one of the largest and most publicised data breaches of all time in late 2013 after its POS systems were infected with a Trojan.POSRAM malware. The attack affected up to 70 million customers, as their personally identifiable information (PII) and payment card data were stolen. Target ended up settling the class action suit for US$39 million while incurring another US$19.9 million in associated legal costs.

Case Study #2: Home Depot

In September 2014, another major U.S. retailer was hit with POS malware, resulting in an ensuing breach of POS system data that affected up to 56 million customers, spanning 2,200 stores. As a result, Home Depot had to pay US$19 million in settlement from the resulting lawsuit.

Case Study #3: Wendy’s

Over 1,025 Wendy’s restaurants owned by franchisees had their POS systems infected with malware, causing a data breach of an undisclosed number of records. Wendy’s only discovered the attack in January 2016 – over a year after the virus infiltrated its system – after the payment industry noticed fraud patterns on various cards used at its restaurants.

After being sued by both customers and financial institutions, the company reached a US$3.4 million settlement with customers and agreed to pay US$50 million to settle the lawsuit brought by approximately 7,500 credit unions and banks whose payment cards were affected. The latter sum of money includes attorney fees and legal costs.

PART 3 – BEST PRACTICES FOR SECURING YOUR POS SYSTEM

3.1. How Does POS Security Work?

Concept Of Cybersecurity

As you can see from the various case studies shared above, the security of your POS system is critical to safeguard your business data. Having robust POS security protocols can make it challenging for hackers to view or steal valuable information.

You can achieve this goal through the following measures:

  • Data encryption;
  • Being selective with your POS software, including usable apps, integrations, and programmes;
  • Complying with world-class security standards;
  • Restricting access and creating customisable permissions for users.

Generally, a reliable POS system from a reputable service provider will include these features and come equipped with robust security tools as part of its baseline plan. However, avoid relying on these measures alone. As a business owner, you must take various steps to maximise your data security, which brings us to our next point.

3.2. How To Secure Your POS System

Top Security Measures To Safeguard Your POS System

Never assume that corporations are the only target for malicious hackers. On the contrary, small and medium-sized retailers are often prime marks for these criminals because they do not have the security resources available to larger companies. 

Furthermore, the financial losses arising from a security breach can often be more devastating for these businesses, with many struggling to recover after an attack. Therefore, it is vital for you to prioritise POS security. Let us share the proactive measures you can take to prevent hacking attempts.

Tip #1: Enable End-To-End Encryption

Most POS systems feature 256-bit level encryption for the data stored within its database. Nevertheless, it is still a good idea to use a payment gateway that employs end-to-end encryption to guarantee that your customer’s payment information is never exposed to hackers.

Ideally, the data should go straight to the gateway without touching the POS unit. That means your security tool should encrypt the credit card information the second it is received on your POS device and once again when the data is sent to the server. This way, it is never vulnerable to hackers, regardless of the presence of malware.

Tip #2: Stop Allowing Card Swipes

Remember when customers used to make purchases by swiping their credit cards? There is a reason why this form of payment is being phased out in favour of Europay, Mastercard, and Visa (EMV) payment cards. These traditional magnetic stripe-based cards can easily fall prey to card skimmers. All it takes is a swipe of the card for a consumer’s information to be stolen.

So, if your business is still relying on a magnetic stripe reader, it is time to upgrade to an EMV payment tool. While EMV cards are still vulnerable, their robust transaction security features make them harder to clone. Moreover, they never transmit credit card information in the clear, mitigating various common POS attacks.

Tip #3: Check Your POS Hardware For Signs Of Tampering

Always remain vigilant for any signs of tampering that could compromise your POS security. Effortless acts such as keeping an eye out for missing screws or unusual cables or maintaining a list of photos of your terminals with their serial numbers to ensure your POS hardware has not been swapped can go a long way in preventing security breaches. That is especially crucial for businesses utilising self-service kiosks, as employees may not be able to monitor them constantly.

Tip #4: Update Your POS System Regularly

Hackers are constantly finding new ways to circumvent existing security measures. As such, various POS service providers often have updates and security patches for download to remedy any vulnerabilities before they can be exploited. If your POS system prompts you with a security update, please do so immediately. Besides, the process is seamless and quick, so there is no excuse for not staying up-to-date.

Tip #5: Install Antivirus On Your POS Devices

Installing antivirus and malware protection is an excellent way to prevent harmful programmes from infiltrating your system. These tools will periodically scan the software on your POS devices and detect problematic files or applications that require your attention. If you are unsure which suitable software to use, you can ask your service provider for recommendations.

Tip #6: Restrict Access To Your POS System

While you never want to distrust your employees, it is still prudent to restrict access to your POS system where possible. Of course, your managers will require back-end access, but you should allow only the permissions necessary. The same applies to other employees or contractors, who should have the lowest level that permits them to perform their roles. Meanwhile, ensure you account for and lock down your POS hardware at the end of each workday to prevent others from stealing or tampering with them.

Tip #7: Avoid Connecting Your POS Devices To External Networks

With the advancement in technology, it is now possible for hackers to compromise a system remotely. Devices that connect to external networks are more susceptible to attacks from these malicious individuals. Specific malware can even infiltrate an external system and lie dormant until it connects with a POS device.

So, if you plan on implementing an external network to provide your customers with free Wi-Fi within your brick-and-mortar store, remember to segment your network to prevent hackers from exploiting the system and gaining access to sensitive information. Additionally, always use a corporate network to handle critical tasks.

Tip #8: Encourage Employees To Use Strong Passwords

When it is impossible to infiltrate a system, many hackers resort to brute force attacks to try and gain access to your POS system. As such, it is essential for you and your employees to have robust passwords to minimise the likelihood of being hacked. 

Cybersecurity experts often recommend having at least 12 characters in a password, with a combination of capital and small letters, numbers, and special characters like @ or &. Users should also avoid references to personal information, like a pet’s name or birth date. You and your employees should also update your passwords regularly – ideally, every three months.

3.3. What To Do In Case Of A Data Breach

Even the best cybersecurity efforts may not always be sufficient to prevent a data breach. While we hope such an incident never occurs to your business, you must still know how to react quickly and efficiently when your POS system is hacked. Please note the steps below in the event of a security leak.

Step 1: Determine The Extent Of The Breach

Prioritise identifying which POS systems or networks were compromised and what information was stolen. Only by knowing the extent of the breach can you start to mitigate the damage.

Step 2: Notify Everyone Affected By The Breach

Once you understand the extent of the breach, immediately notify everyone who may be affected to inform them how and when they were directly impacted, such as customers’ credit card information being compromised after visiting a particular store or employees’ personal data leaking after the hack.

Additionally, include suggestions on how the victims can safeguard themselves. Examples include changing their passwords and checking for fraudulent purchases made with their credit cards. Meanwhile, consider offering identity theft protection to your customers and employees if their personal data were compromised in the attack.

Step 3: Hire A Cybersecurity Firm

Hire a cybersecurity firm to investigate and identify the source of the breach. Generally, the consultant will compile their findings in a report and recommend additional security measures you can implement to prevent another attack. 

Step 4: Keep Track Of All Communication

Ensure you keep track of all communication related to the security breach to use as evidence if legal action is taken.

Step 5: Contact The Relevant Authorities

In Singapore, you are legally required to notify the Personal Data Protection Commission Singapore (PDPC) as soon as you are practicably able to if your organisation suffers a data breach. Beyond the PDPC, you should also contact local law enforcement to launch an investigation into the attack and determine who is responsible.

Step 6: Notify Your Insurance Company

Notify your insurance company of the attack and enquire whether your policy covers data breaches. We recommend getting cyber insurance if your business does not already have one, as it can help cover any losses incurred as a result of a cyberattack.

PART 4 – FAQs ABOUT POS SECURITY

4.1. Your Most Pressing POS Security Questions Answered

Question 1: My POS system is physically secured. Is that sufficient to safeguard against data breaches?

POS security extends beyond your physical terminals. If you utilise a cloud POS service or have an online store on your website, you must secure them against hackers. All it takes is a virus to infiltrate your device or server to enable hackers to steal sensitive information from your POS system.

Question 2: Is it safe to use a POS application on mobile devices?

Mobile devices share the same vulnerabilities as larger POS systems. Furthermore, their smaller sizes increase the risk of theft and make it easier to lose track of them. With that said, you can still utilise them for convenience. However, remember to apply the same security measures as you would for any POS system.

Question 3: Are open-source POS systems safer?

In terms of cybersecurity, open-source POS systems are neither riskier nor safer than other POS types, as they face identical threats, like malware, phishing attacks, and viruses.

Question 4: Are contactless payment methods safe from malware attacks?

Contactless payment is inherently safer, as it lacks some of the vulnerabilities present in physical payment methods like card swiping. However, it is not immune, as any tampering with the credentials of a mobile or digital wallet can allow hackers to make fraudulent purchases even in physical storefronts.

PART 5 – CONCLUSION

As retail and F&B brands become more reliant on their POS systems to handle the bulk of their operations, the need for comprehensive security protocols, especially where POS security is concerned, becomes paramount to safeguard confidential information and prevent a data breach. To further enhance business security, only invest in a reliable, secure POS system from a reputable service provider.

At Suntoyo Technology, our leading POS system is the trusted choice of over 1000 retail businesses nationwide, with solutions that cater to every aspect of your technological and operational demand. Local SMEs may also tap on the PSG grant to receive up to 50% subsidy to kickstart their adoption of our retail and F&B POS systems. Contact us today if you are interested to learn more about our products.

Facebook
Twitter
LinkedIn
Pinterest

Related Posts

×