OAK BROOK, Ill. -- Of all the vulnerabilities that existconcerning data security, the point of sale (POS) stands out as the Achilles' heel for retailers, with one expert saying most companies that fail to meet security compliance standards do so at the front counter.
Fortunately, suppliers are making strides in meeting technical guidelines released by the Payment Card Industry (PCI) Standards Council, Wakefield, Mass., and introducing to market solutions that are less open to tampering. [For extended coverage of data-security issues, watch for the July [image-nocss] issue of CSP magazine.]
Part of the vulnerability lies in how POS devices store what George Sconyers calls full track data. Essentially, the register is supposed to delete a customer's credit-card information after the transaction, and many POS devices need a software upgrade in order to do that, the senior solutions architect for American Technology Corp. (ATC), St. Louis, told CSP Daily News.
Officials from companies such as Arlington, Texas-based The Pinnacle Corp.; Alpharetta, Ga.-based Radiant Systems; and Greensboro, N.C.-based Gilbarco Veeder-Root have talked about the importance of security issues and the steps they've taken to ensure product compliance.
When [our product] was first released 10 years ago, there was a lot of information that [unauthorized] people could get to, said Drew Mize, vice president of retail solutions for Pinnacle. We've since tightened the belt and tightened access to [the data].
Still, while suppliers like Mize said focusing on the POS was a good start, they believed it only the beginning of a larger journey. When you think about the PCI guidelines they've put out there, it's a holistic policy to securing data or credit-card information, said Douglas Henderson, director of product marketing for Radiant. It covers everything: Are my applications secured? Is my back office [compliant]? Is anything touching data or masking credit-card numbers? Am I certain the POS is not storing the information?
Henderson believes the answers also lie with strong policies. Retailers have to ask themselves, What is my security policy in terms of which people can access my data? What's the physical security look like? Do I have locks on [certain] doors? Do I have security levels in my building or store? Where can employees get onto a computer and into the system?'
Sconyers of ATC also said compliance goes beyond technology. You also have to understand why retailers are doing these things, he said. Sometimes people are trying to understand their customer and are trying to capture information about the buying process. They begin to tie unique customer information to their credit cardsand you can't do that.
Suppliers of peripheries and software agree that retailers need to take a big-picture view of their retail systems. Late last month, VeriFone Inc., Clearwater, Fla., announced that it now has 25 systems that are PCI-approved. Officials said that all payment systems sold for personal identification number (PIN) entry must comply with PCI standards by January 1, 2008.
But just how far along are retailers with regards to compliance? Awareness is happening, but we're behind the curve, said Michael Tyler, marketing director of petroleum for VeriFone. We're not as aware of our vulnerabilities as the retail industry at large.
Tyler said fraud is indeed occurring among retailers. It's our belief that fraud takes the path of least resistance. I fear for our retailers. I fear for our customers.
On the software front, Abilene, Texas-based AutoGas Systems Inc. announced the availability of its Regal POS Streamline2 software, which meets encryption standards set by PCI. Ultimately, the onus is on the retailers to secure their respective networks, said Steve Covington, chief technology officer for AutoGas. Secure POS technology is available and AutoGas will continue to work with its customers to help them properly configure their POS systems and meet PCI standards.
Suppliers strongly suggest reviewing POS systems for data-security issues and to view the PCI compliance as an opportunity to garner new capabilities at the store level.
Yes, this could be an investment [against data intrusion], but it could be a catalyst to more proactively look at new technologies for POS, said Ying Zhang, product manager for POS, Gilbarco. New products don't just give retailers PCI [compliance], but add new functionality that can take them to a higher level.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.