by Kerry McDowall
The following white paper was published by Kerry McDowall, Mitre 10. We believe that the information within would be beneficial to our own customers so are republishing it with her permission. Please get in touch with Readysell if you have any questions or concerns.
Are you using integrated EFTPOS at the registers, if so you need to read on.
In recent times the media has been paying a lot of attention to cases of “hacking†with the illegal tapping of phones by News International and the attack on Sony Play Station Network. What does this term mean? In the context of this email we are referring to unauthorized access of your electronic systems (Network, POS Systems etc) for criminal gain.
You may have read recent articles in the papers that outlined how an “unnamed†retailer had been the victim of a hacking attack during which the credit card details stored in their POS systems had been accessed. This breach of the network resulted in over 10,000 of their Customers having their credit cards cancelled and reissued. The bank also subjected the retailer to an expensive forensic audit of their network.
While this seems like something that is unlikely to happen to you, it isn’t. As 65% of all card transactions occur in small to medium sized retail outlets your store is a potential target for an unscrupulous hacker.
By law, you have a duty of care to take steps to protect your customers’ data from improper use. This sounds hard but it is actually easier than you think.
You are at risk of losing your EFTPOS facility if you do not comply with the Payment Card Industry (PCI) standards.
The check list below is not exhaustive however; start with these three main areas:
Your EFTPOS software
EFTPOS software isn’t the Point of Sale software, it is the software that the POS system uses to process integrated EFTPOS transactions. If you aren’t sure, please call your POS provider (Readysell) and ask them to confirm the following:
- That you are using the latest version of the EFTPOS software. Early versions of some of software stores Cardholder Data and this is in breach of the PCI standards.
- Even if you are using a newer version of the software, ask them to check that all old log files are removed from your POS registers. The Cardholder Data stored in these log files are what the hackers are looking for.
If your POS provider quotes a fee for the upgrade service, please pay it and don’t delay the upgrade process.
Your Network
Your network security must be compliant with the PCI security standard.
If your POS Provider supports your network as well as your POS system or if you use a local IT company you need to ask them to confirm that your network security is up to the PCI Standards that are expected of all retailers who have EFTPOS. Ask them to refer to the https://www.pcisecuritystandards.org website for more information of what is expected.
Some of the items covered in this standard are:
- Use and regularly update your anti-virus software
- Restrict who can log into your network remotely
- Use a strong administrator password and change it regularly
- Use a strong password on your router
- Install and maintain a firewall to prevent unauthorized access to your network
- All wireless access points are secure and WPA-2 password protected
- Change the passwords on all of your POS registers periodically
- Delete the login accounts for all former staff members
Never leave the passwords as the default. Passwords should conform to the PCI DISS standard (refer to pages 12 & 13 of the quick reference guide at the PCI website).
Passwords that are easy to remember are also easy to hack.
EFTPOS Pin Pads
Call your bank and ask them to confirm that your EFTPOS terminals are approved Payment Card Industry “PIN Transaction Security†(PCI-PTS) compliant terminals.
Specifically Ingenico PX328 terminals are NOT compliant and if you have these installed you MUST contact your bank to have these terminals replaced with a compliant terminal.
If you are using other types of terminals you will need to call your bank and confirm their suitability.
