Welcome to Point Sale Breach brought to you by IBM. In this video, we'll be learning what a Point of Sale breach is and learn about the PoS systems and their security standards. Let's get started. The main objective of the Point of Sale breaches is to steal your 16-digit credit card number. 60% of Point of Sale transactions are performed via credit card, which means big business for cyber criminals. The industries most affected by PoS data breaches are usually restaurants, retail stores, grocery stores and hotels. But data breaches actually happen more frequently to small and medium-sized businesses because they're easier to compromise than the computer networks of larger retailers. In a SANS Institute white paper, Wes Whittaker wrote, the term point of sale is used to describe the technology used by a consumer to provide their payment information in exchange for a good or service. PoS technology has actually been around for many years with the first cash register dating back to 1879. However, it wasn't until the mid 70s that this technology was converted from mechanical to an electrical form. Over the next several years, support for barcode scanning and payment card reading was added. Modern PoS systems today are all upheld to the same security standard. The Payment Card Industry Data Security Standard or the PCI DSS, is the main card industry information security standard. It was created in 2006 by PCI security standards council. The PCI security standards council is led by American Express, Discover Financial Services, JCB International, MasterCard and Visa Incorporated. The goal is to protect cardholder data and sensitive authentication data whenever it is processed, stored or transmitted. In order to create the new standard, PCI DSS came up with a list of controls and processes for the industry to adopt. Let's cover those next. According to the PCI DSS, merchants, service providers and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the three or four digit security code printed on the front or back of a card. The data stored on a card's magnetic stripe or chip also called Full Track Data. And personal identification, PIN, numbers entered by the cardholder. Major categories of security controls and processes are as follows. One, build and maintain a secure network and systems. Two, protect cardholder data. Three, maintain a vulnerability management program. Four, implement strong access control measures. Five, regularly monitor and test the networks. And six, maintain an information security policy. In order for the security controls and processes to be met, the PCI DSS had 12 different requirements to meet. The requirements are as follows. Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data. Encrypt transmission of cardholder data across open public networks. Use and regularly update anti-virus software. Develop and maintain secure systems and applications. Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. And lastly, maintain a policy that addresses information security. Even with these 12 different requirements, the ever-changing landscape of cybersecurity threats has us asking, is the PCI DSS enough? According to some industry professionals, he answer is no. A blog post from the Ingenico Group says that in 2018, cyber attacks increased by 32% in the first few months of the year, compared to the same period in 2017. Threats from criminals are constantly evolving and becoming more sophisticated. Being only PCI compliant is not enough and businesses need to take additional security measures to protect sensitive cardholder data and their payment technology investment. Here are a few ways businesses can protect their payment infrastructure. The first way is a semi integrated payment approach. With this, sensitive card data is isolated, encrypted and sent directly from the terminal to the intended processing host or gateway. This way the payment or card data never touches the Point of Sale system, keeping it safe from any vulnerabilities. The second possibility is the integration of a point-to-point encryption. A point-to-point solution helps protect the card data while it's on the move during the payment process. It's an industry proven solution that helps protect sensitive card data from cyber criminals. Another approach is tokenization, which goes hand-in-hand with the point-to-point encryption. It replaces the sensitive information with a secure encrypted token protecting it from cyber criminals when the data is at rest. After many data breaches over the years, current PCI standards do not allow businesses to save and store credit card details. Unless they are tokenized on their PoS systems or databases after the transaction. When a data is tokenized, it becomes useless to any cyber criminal as it can only be decoded by the payment processor. Another option is MDM management or mobile device management. In a lot of instances, many businesses may use consumer-grade mobile devices to work with their POS systems. This is where MDM can come in handy. MDM is a type of security software that allows businesses to remotely deploy and securely manage their mobile PoS solutions. The software solution also helps businesses protect their mobile PoS solutions from security threats. And last and possibly something that no business should go without, is further employee education. Effective training of employees regarding basic security protocols can help curb mistakes and better protect your business. Next, let's dive into how these PoS breaches are happening by digging into PoS malware. We'll see you in the next video.
