[RetailEdge Moderator]

POS and Credit Card Security

Are you prepared to defend against POS-targeted malware? Are you vulnerable to “Backoff” malware infections?

Computer and network security and fighting POS-targeted attacks is a big challenge but there are a number of things we can all do to help limit our exposure.

First and foremost, make sure all your critical software is up-to-date. This includes Windows, RetailEdge, antivirus software, remote access tools, s/w and h/w based firewalls, routers, etc.

If you are still running Windows XP, you are playing with fire. Microsoft stopped supporting XP almost 6 months ago and it is no longer considered a secure operating system. If you are using XP, it is a question of when you will be breached, not if you will be breached. 9% of our customers have used Windows XP with RetailEdge during the last month. If you are one of the 9%, please upgrade or replace your computer as soon as possible.

Remote Access Software

A recent report says that weak passwords used with remote access tools are responsible for 31% of POS related intrusions. The bad guys, often driven by organized crime, are using brute force attacks to identify and break into systems with poorly configured and improperly exposed remote access software.

Here are some important steps to fight brute force attacks on remote access software:

Use complex passwords, the longer the better. Simple and/or short passwords make brute force attacks easy. Ideally, passwords should be as random as possible with a minimum of 20 or 25 characters. Using a trusted password manager makes the creation and implementation of complex passwords much easier (e.g. 1Password, Password Safe, LastPass). A password manager remembers all your long, complex, passwords so you don’t have to.
Use Two-Factor Authentication. This is very important: two factor authentication does not mean a username and password. A second factor is something you “have” or something you “are”. Second factors are often implemented as random, temporary, codes that are good for only a limited time. Codes can be texted, emailed, verbally communicated, or based on a token generator (e.g. RSA Key fob).

All remote access into your store should be based on two factor authentication whether the access is from a support organization like RetailEdge or for you own purposes. Many remote access products support two factor authentication but most are not configured this way by default. You have to edit the configuration settings and turn two factor access on.

Do not leave remote access software running at all times. Ideally, remote access software should only be running when the access is actually needed. If you leave your remote access tools running 24/7, you are giving attackers lots of time to compromise your systems.

Other Security Measures

When processing credit cards, use end-to-end encryption for all your swiped transactions. This means using special credit card readers that encrypt critical credit card data as soon as it is swiped. The data stays encrypted throughout the approval process and key logging and memory scraping malware are unable to gain access to the data.

If you are not using encrypted credit card swipers, we strongly encourage you to consider doing so. Encrypted swipers are not expensive and are easy to install and use. You can purchase encrypted swipers directly from our credit card processing partners (PayPros, Mercury Payment Systems, and Merchant Warehouse).

Reboot computers on regular basis.

Use good judgment when browsing and opening email attachments. Social attacks are on the rise and are another easy attack vector. Ideally, your POS workstations should have limited internet access and you should have policies in place that limit folks from casual browsing.

PCI Compliance

All merchants processing credit cards need to be aware of PCI Council rules and guidelines. Each copy of RetailEdge comes with an Implementation Guide that provides information on how to use RetailEdge in a PCI compliant fashion. The Implementation Guide can typically be found in the RetailEdge program folder (C:\Program Files (x86)\High Meadow Business Solutions\RetailEdge 8.2\RE_CC_Module Implementation Guide.pdf).