Hackers love the hospitality sector for two main reasons. The hospitality sector uses plenty of Point-of-Sale (POS) systems and these are easy targets, and the numerous hospitality outlets offer plenty of targets. POS systems are used in numerous business sectors; however, their prime purpose is to accept card payments. Successful data breaches in the hospitality sector are continuously reported. The impunity with which these attacks are being conducted and the huge amount of data being stolen tempts aspiring cybercriminals to try out their luck on POS terminals.
The Vulnerability Reason
The hospitality sector has a unique way of handling credit card data. After the first swipe of the credit card, all of the provided details are stored – the personal details of the card holder (guest), card details, and the card pin number. The data are collected so as to avoid asking the guest to provide the card for any further services that may be availed. In a practical scenario, this happens in plenty, as once a guest books-in then the guest would be availing many other services offered by the hotel.
Though this does offer convenience, the practical security implications are many. Any entity that needs to accept card payments and store data has to abide by the Payment Card Industry Data Security Standards (PCI-DSS). These standards are stringent requirements, and when an entity wants to store personal information and credit card information the requirements are even more stringent.
For better data mining and analysis, and to provide a better experience, POS terminals are connected to workstations (computers) and these computers are networked to corporate servers. Hackers who successfully breach a POS terminal will be able to infiltrate the network and penetrate to the server and other computers and terminals. Malware can be installed, and data transiting through all systems and on the server can be exfiltrated.
Recommendations for Better POS Safety
Secure POS terminals with POS security – Install a robust endpoint security solution to protect the most vulnerable endpoint on the network – the POS terminal.
Employee Education – Educate employees on the importance of POS security. This must not be complicated as employees manning these terminals will usually be stressed and it should not become an overburden.
Data Encryption – Encrypt all data that needs to be stored; Impose severe restrictions on who could access the data. This would be required according to PCI DSS standards.
Server Accessibility – Allow remote access to the server only through VPN. This would help prevent RAT attacks on the server.
Biometric Authentication – Username-password is quite vulnerable, with many not following the necessary measures for passwords. Two-factor authentication is considered secure, but vulnerabilities have been discovered and exploited. Biometric Authentication offers a much superior option that offers much better authentication and security. The encrypted biometric data remains protected within the guest/customer’s device and promises to be a versatile additional authentication solution.