by Kerry McDowall
The following white paper was published by Kerry McDowall, Mitre 10. We believe that the information within would be beneficial to our own customers so are republishing it with her permission. Please get in touch with Readysell if you have any questions or concerns.
Are you using integrated EFTPOS at the registers, if so you need to read on.
In recent times the media has been paying a lot of attention to cases of â€œhackingâ€ with the illegalÂ tapping of phones by News International and the attack on Sony Play Station Network. WhatÂ does this term mean? In the context of this email we are referring to unauthorized access of yourÂ electronic systems (Network, POS Systems etc) for criminal gain.
You may have read recent articles in the papers that outlined how an â€œunnamedâ€ retailer had beenÂ the victim of a hacking attack during which the credit card details stored in their POS systemsÂ had been accessed. This breach of the network resulted in over 10,000 of their Customers havingÂ their credit cards cancelled and reissued. The bank also subjected the retailer to an expensiveÂ forensic audit of their network.
While this seems like something that is unlikely to happen to you, it isnâ€™t. As 65% of all cardÂ transactions occur in small to medium sized retail outlets your store is a potential target for anÂ unscrupulous hacker.
By law, you have a duty of care to take steps to protect your customersâ€™ data from improper use.Â This sounds hard but it is actually easier than you think.
You are at risk of losing your EFTPOS facility if you do not comply with the Payment CardÂ Industry (PCI) standards.
The check list below is not exhaustive however; start with these three main areas:
Your EFTPOS software
EFTPOS software isnâ€™t the Point of Sale software, it is the software that the POS system uses toÂ process integrated EFTPOS transactions.Â If you arenâ€™t sure, please call your POS provider (Readysell) and ask them to confirm the following:
- That you are using the latest version of the EFTPOS software. Early versions of some ofÂ software stores Cardholder Data and this is in breach of the PCI standards.
- Even if you are using a newer version of the software, ask them to check that all old log filesÂ are removed from your POS registers. The Cardholder Data stored in these log files are whatÂ the hackers are looking for.
Your network security must be compliant with the PCI security standard.
If your POS Provider supports your network as well as your POS system or if you use a local ITÂ company you need to ask them to confirm that your network security is up to the PCI StandardsÂ that are expected of all retailers who have EFTPOS. Ask them to refer to theÂ https://www.pcisecuritystandards.org website for more information of what is expected.
Some of the items covered in this standard are:
- Use and regularly update your anti-virus software
- Restrict who can log into your network remotely
- Use a strong administrator password and change it regularly
- Use a strong password on your router
- Install and maintain a firewall to prevent unauthorized access to your network
- All wireless access points are secure and WPA-2 password protected
- Change the passwords on all of your POS registers periodically
- Delete the login accounts for all former staff members
Never leave the passwords as the default. Passwords should conform to the PCI DISS standardÂ (refer to pages 12 & 13 of the quick reference guide at the PCI website).
Passwords that are easy to remember are also easy to hack.
EFTPOS Pin Pads
Call your bank and ask them to confirm that your EFTPOS terminals are approved PaymentÂ Card Industry â€œPIN Transaction Securityâ€ (PCI-PTS) compliant terminals.
Specifically Ingenico PX328 terminals are NOT compliant and if youÂ have these installed you MUST contact your bank to have these terminals replaced with aÂ compliant terminal.
If you are using other types of terminals you will need to call your bank and confirm theirÂ suitability.