Choosing the right point-of-sale (POS) system is key to a business's success. While factors like type of POS system, features, cost and limitations are all important considerations, it's easy to overlook one of the most critical aspects of using POS systems: security.
Understanding POS security isn't for the faint of heart. Not only are regulations complex, but keeping up with changes is a whole other beast. As a small business owner, however, dealing with POS security is a necessary evil if you want the convenience and benefits of accepting credit cards.
To help you make sense of POS security and better protect your business and customers, we asked experts to share their tips on what to look for in a secure POS system. [For a closer look at POS systems, check out our Credit Card Processing Buyer's Guide and our roundup of the Best POS Systems.]
1. Is the POS system PCI compliant?
The first thing to look for is whether your new POS system meets the required regulations for accepting credit cards.
The first thing to look for is whether your new POS system meets the required policies for accepting credit cards. For instance, new credit card regulations require merchants to have EMV chip-enabled POS systems by Oct. 15. [Learn more about EMV].
There is also a huge change happening soon. Starting June 30, businesses are required to comply with version 3.1 of the Payment Card Industry Data Security Standards (PCI DSS). These new PCI 3.1 standards are mandatory, and any business that fails to comply could face steep penalties. Although vendors have taken the necessary measures, it's your responsibility to make sure your business is truly compliant. [Learn more about PCI 3.1.]
"Any business that accepts credit card payments for goods or services must be PCI compliant," said Tony Ciccerone, a Detroit-based territory manager for Heartland Payment Systems. This means that in addition to following the Payment Card Industry Data Security Standard (PCI DSS) rules for credit card processing, your POS itself must meet PCI standards for merchants.
This is important because if your customers' information is leaked, you could be on the hook for financial damages, even if your company uses PayPal or some other third-party service provider to process your credit card transactions, said Vikas Bhatia, founder and CEO of cybersecurity firm Kalki Consulting. "Make sure to ask your service provider for proof that they passed their PCI DSS evaluations,” he said.
Editor’s Note: Considering a POS system for your business? If you’re looking for information to help you choose the one that’s right for you, use the questionnaire below to have our sister site, Buyer Zone, provide you with information from a variety of vendors for free:
2. Update and maintain purchased technology
Technology is changing rapidly, and credit card payment processing systems are, too. When you choose your new POS system, ask the service provider about the maintenance schedule. An outdated system may put your business and customer credit card info at risk for a security breach.
"If you do buy technology (security or IT), make sure it's maintained appropriately by having antivirus and anti-malware software installed and updated regularly,” said Bhatia.
That includes your firewall. “Consumer-class routers that are commonly used in SMBs generally include a firewall; however, it needs to be configured correctly in order to protect your network,” Bhatia said. It's critical that you change the default login and password on every network device you purchase, including your new POS system, he added.
"The most advanced firewall is worthless if it has the default login and password in place," Bhatia said.
In addition to ensuring your POS software is up-to-date, it's important to check the changing PCI compliance rules regularly, to make sure your POS systems meet them, Ciccerone said.
"Visa and MasterCard, for example, change PCI rules and regulations about once a year," he said.
3. Isolate your POS systems
When choosing a POS system, it's also important to consider whether you can keep the system completely separate from the rest of your business technology.
"POS systems are often the weak link in the chain and vulnerable," said Mark Bower, vice president of product management and solutions architecture for retail security tech provider Voltage Security.
Bower said POS systems often run a standard operating system and, therefore, are easy targets for attacks if they're exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or — worse — from an insider.
"In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems," Bower said.
4. Encryption services and fees
With security being such an important issue in electronic payment acceptance, it's important to understand the encryption options available for a POS system.
Encryption is the process of changing information into a form that's unreadable except to holders of a specific cryptographic key, according to the PCI website glossary. Using encryption protects your customers' payment information from unauthorized access until it's decrypted with the key.
Ask the POS salesperson if the system in question requires separate encryption services. Keep in mind that encryption could require an extra monthly fee. Also ask if they offer a system with end-to-end encryption, which can simplify the process, thus saving you time and money.
"Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, addresses this risk by encrypting all the payment card data before it even gets to the POS," Bower said. "If the POS is breached, the data will be useless to the attacker."
For a handy list of PCI-compliant systems, see PCI's Approved PIN Transaction Security Device page.
For more information on what to look for when choosing your first POS system, read the PCI DSS Quick Reference Guide.
Updated June 22. Additional reporting by Sara Angeles.