How to Choose a Secure Point-of-Sale System
Is the POS system PCI compliant?
The first thing to look for is whether your new POS system meets the required regulations for accepting credit cards.
“Any business that accepts credit card payments for goods or services must be PCI compliant,” said Tony Ciccerone, a Detroit-based territory manager for Heartland Payment Systems. This means that in addition to following the Payment Card Industry Data Security Standard (PCI DSS) rules for credit card processing, your POS itself must meet PCI standards for merchants.
This is important because if your customers’ information is leaked, you could be on the hook for financial damages, even if your company uses PayPal or some other third-party service provider to process your credit card transactions, said Vikas Bhatia, founder and CEO of cybersecurity firm Kalki Consulting. “Make sure to ask your service provider for proof that they passed their PCI DSS evaluations,” he said.
Update and maintain purchased technology
Technology is changing rapidly, and credit card payment processing systems are, too. When you choose your new POS system, ask the service provider about the maintenance schedule. An outdated system may put your business and customer credit card info at risk for a security breach.
“If you do buy technology (security or IT), make sure it’s maintained appropriately by having antivirus and anti-malware software installed and updated regularly,” said Bhatia.
That includes your firewall. “Consumer-class routers that are commonly used in SMBs generally include a firewall; however, it needs to be configured correctly in order to protect your network,” Bhatia said. It’s critical that you change the default login and password on every network device you purchase, including your new POS system, he added.
“The most advanced firewall is worthless if it has the default login and password in place,” Bhatia said.
In addition to ensuring your POS software is up-to-date, it’s important to check the changing PCI compliance rules regularly, to make sure your POS systems meet them, Ciccerone said.
“Visa and MasterCard, for example, change PCI rules and regulations about once a year,” he said.
Encryption services and fees
With security being such an important issue in electronic payment acceptance, it’s important to understand the encryption options available for a POS system.
Encryption is the process of changing information into a form that’s unreadable except to holders of a specific cryptographic key, according to the PCI website glossary. Using encryption protects your customers’ payment information from unauthorized access until it’s decrypted with the key.
Ask the POS salesperson if the system in question requires separate encryption services. Keep in mind that encryption could require an extra monthly fee. Also ask if they offer a system with end-to-end encryption, which can simplify the process, thus saving you time and money.
“Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, addresses this risk by encrypting all the payment card data before it even gets to the POS,” Bower said. “If the POS is breached, the data will be useless to the attacker.”
For a handy list of PCI-compliant systems, see PCI’s Approved PIN Transaction Security Device page.
For more information on what to look for when choosing your first POS system, read the PCI DSS Quick Reference Guide.
Contact Compuville Systems today to get the best advice on choosing your Point of Sale System.