POS Systems Are a Weak Spot for Small Businesses

By Wayne Rash  |  Posted 2012-03-24 Print this article Print


Change the default password on your point-of-sale (POS) system.

This means the computer you use as a cash register and to process credit card payments. Hackers already know the default administrative passwords, and if you haven€™t changed it, then they will break in and steal your customers€™ information, like their credit card numbers. The Verizon people even created a cutout card that people can take to their merchants outlining these steps.

The POS system is apparently a real weak spot for small businesses. Apparently, small businesses don€™t change passwords, but they do use the devices to browse the Web. There€™s never a reason to do this, and if possible, software for accessing the Web for anything other than credit card processing should not be on these machines. While you€™re at it, you should make sure that whoever services your POS system has it set up so it€™s compliant with the Payment Card Industry's Data Security Standards (PCI DSS).

Things are a little more complex for larger companies, but that doesn€™t mean that they€™re any less basic. Once again, the list of things to do includes changing default passwords and other security settings. It includes implementing a firewall, which should already be in place in every company, and setting it up properly, and changing passwords on even the suspicion of a breach.

Some suggestions are clearly for larger organizations that have routine calls by service vendors, but these can also apply to smaller business.

For example, you should confirm that the service representative that shows up at your door is actually who they say they are. One way to steal data is to have a fake service call in which the only service is to attach a USB memory stick into a handy USB port and stealing information that they can€™t otherwise hack into. It helps to insist on scheduled visits from your service vendor. That way, you know that when someone just shows up at your door and says they€™re there to €œservice€ your POS system, you know you can probably send them away, unless you want to call the police first.

I know it sounds repetitive, and I know that we€™ve been harping on these steps for years, but the fact is that there€™s a reason that virtually all data breaches would have been easy to prevent. That is because people who should be taking steps to protect your company€™s data aren€™t doing their jobs. None of this is rocket science, and companies that fail to take even these basic steps should be held accountable for their reckless handling of personal information. Likewise, employees who fail to take even these basic steps should have their continued presence in your company evaluated.

Ask yourself: Do you really want an IT guy in your company who can€™t or won€™t change your firewall passwords? I didn€™t think so.


Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel