Alessia
Forster

A beginner’s guide to POS systems and their management

Alessia Forster

Apr 13, 2021

14 min read

Restaurants and retail stores can best be described as people’s destinations or people’s hubs. Considering this people-centric nature, industries have begun resorting to practices that their customers best prefer. With changing times, the way payments are made and logged have also undergone major transformations beginning with the initial manual registers to the most recent POS systems, a remarkable journey worth noting.

“When I was young, people lived from paycheck to paycheck. Today, it seems like they live from credit card payment to credit card payment.”

Recollects Robert Kiyosaki, the renowned American author and businessman, on the changing trends in the payment sector.

Nowadays, we often hear the term Point of sale (POS) linked with the payment sector. The term actually refers to the place where the customer pays for the availed services, inclusive of all the taxes. It includes collaborative payment tools and is often seen located at the end of the physical store. These tools can either be a POS terminal with systems or a virtual one with mobile or computer-based payments.

Evolution of POS

Some milestones in the POS evolution
Some milestones in the POS evolution
Point-of-sale devices have come a long way from their initial “cash till” to the present-day handheld and mobile device-integrated systems. The image above depicts some of the important incidents that helped POS reach the present-day state.

POS: Some terminologies

A customer making payment through a POS terminal
A customer making payment through a POS terminal

POS System

A POS system collectively refers to all the hardware and software components used for billing in a POS store. It usually consists of all the necessary devices for efficiently managing the sales and the related transactions. Some of the commonly seen components of a POS system are as follows:

  • Display unit showing the billing information
  • Software interface for completing the transaction process
  • Input device like keyboard or touchscreen for product selection and entering data
  • Barcode scanner for scanning commodities to be billed
  • Printer for printing the receipt
  • Cash register for storing the cash received

POS Software

It refers to the software running on the POS system, or in other terms, it comprises the terminal’s operating system. This software interface has simplified the process of inputting data regarding purchasing the various products and getting accurate cumulative data logs of the required products. It further helps in processing orders using the available hardware components.

Different firms may have different data collection requirements, and hence, POS software is often tailored to meet the respective industry’s needs.

POS Terminal

It refers to the payment receiving section of the POS system. Here devices like a card reader or other payment accepting devices are found, which accepts payments for the orders made through the POS system. With integrations with the POS software, bill printing and card swiping can be carried out on a single hardware device. This simplifies the process of order management and makes the checkout process faster. These terminals accept a wide range of payment modes, from chip-based cards to detecting contactless cards and other online payment modes like Google pay, Apple pay etc.

Some benefits of the POS system

Simplified payment with a POS system
Simplified payment with a POS system
POS system has simplified the work of the businesses making it easier to maintain records and receive payments. Some of its benefits include:

Increased efficiency

POS system has eliminated the need for people to remember the price and details of various products in the store. Now all the person needs to do is scan the product’s barcode to fetch the required product data, making the process faster. Further, this system also helps keep track of employees and their checkout speeds and helps in taking appropriate measures to enhance the employees’ efficiency.

Easier analysis and inventory management

With a POS system in place, upon adding the existing stock level upon the system implementation, the inventory level is automatically adjusted by the software with each purchase. Further, it has also made it possible to get accurate sales reports and trend analysis to get a clear picture of your businesses’ status.

Maintaining consistency of the catalog in multiple stores

POS software helps in maintaining a digital catalog of data that can be accessed from any preferred location. This means that once a product price is set in one of the stores, there is no need to enter the same data again in the other stores.

Increase store profitability

Effective inventory management and buying behavior records of customers can help in creating personalized marketing campaigns. This helps increase the store’s profitability. Other practices like instant access and enabling selling and ordering from anywhere can further enhance customer satisfaction and hence profitability.

Why is there a need for management of POS devices?

A POS system
A POS system
At some point, you would have thought how easier things would be if our society was ideal! A beautiful society, where people strictly adhered to the rules and never resorted to untoward practices like stealing other people’s sensitive data online. Unfortunately, attaining ideality is a near impossibility.

The greatest recorded data loss due to a POS system breach occurred in 2013, compromising nearly 70 million individuals’ data. This has served as an eye-opener to all the businesses that took POS security lightly. Some of the essential aspects necessitating POS management are as follows:

The data your business collects is your responsibility

Taking precautions before an incident occurs is always better than paying the incident’s cost after its occurrence. Securing the data in these devices can be particularly demanding if left unattended or lost, or stolen. Hence, appropriate measures to prevent such instances are essential if you aim to build a stable customer base.

Downtime and overhead cost have a considerable impact

In industries where time is money, even a minute of POS device downtime can result in a tremendous loss. This has created a need to effectively manage these devices to avoid such incidents. Not just this, when POS devices are used alongside other applications, it can give rise to additional overhead costs making device management a necessity.

Not all your employees need access to all data levels

Even in organizations with the most trusted employees, a minor mishap can put the whole organizational data at risk. Hence, managing the devices and controlling the access levels so that only those employees who need them for their duties have access to them can make things easier and guarantee customer trust.

Staying informed about your device in real-time

The changing technology and widespread internet connectivity have made it possible to remain connected, dissolving all regional barriers. Now managing the device in real-time, getting updated location information, monitoring device health and status, and security and compliance information have become integral components of POS devices. All these data can help ensure the judicious use of these devices.

POS vulnerabilities and their fixes

A hacker trying to break into secure systems
A hacker trying to break into secure systems
Hackers are increasingly seeking vulnerabilities in POS systems. Fixing these vulnerabilities has become necessary in recent times as even the slightest one is sufficient for an attacker to compromise the entire system.

Malware

POS malware is specially designed to steal payment card data from point-of-sale terminals. One of the most straightforward vulnerabilities hackers can exploit to access the card data is the connection between the POS workstation and the store server. All they need to do is introduce a malicious tool to the location of the terminal.

The case of Prilex point-of-sale (POS) malware

With security becoming the prime concern in every area, the chip and PIN-protected cards began being adopted due to their excellent security capabilities. However, with these advancements arrived more complicated malware configured to compromise these well-engineered systems. Such a recent threat developed in Brazil was the Prilex point-of-sale malware. This was a complete hacker malware that could steal user information and even clone the same into real functional plastic cards. These cards were functional in any POS system in brazil due to a faulty implementation of the EMV standard that prevented full data verification in the approval process.

Once the hacker gains access to the network, the extent of the loss can be far beyond expectations. Some of these include:

  • Manipulating the sales values and adding special discounts, thus lowering the price of products as per their discretion
  • Increasing the price of products digitally keeping the tagged values unchanged affecting the company’s reputation
  • Turning off POS terminals of retailers remotely creating massive loss due to downtime
THE FIX
  • Timely patching and upgrading of operating system to eliminate entry points for hackers into the network
  • Network segmentation so that the sensitive data is safeguarded away from the reach of the malicious actors

Absence of separate hardware security module for storing the encryption keys

Storing user data in the same place as encryption information can make things easier for hackers. In this case, gaining access to one of these automatically gives you access to the other. For this, a separate hardware security module can be used to store your encryption data. The POS data stored can be easily accessed by attaching the device directly onto the server or computer.

THE FIX
  • Using an external hardware security module for storing encryption information away from the device that may be targeted by hackers

Not changing default manufacturers passwords

Passwords function like the key for unlocking data
Passwords function like the key for unlocking data
Using the POS system with the default password is like directly handing over all your user data to a malicious attacker without being asked for. When the default password is used for a POS system, the attacker can easily access your device by extracting the default password list from the manufacturer’s site. Using the default password is the last thing you should do if all you are aiming for is a secure POS system.
THE FIX

Enforcing strong password policies that ensure that the manufacturer’s password is scrapped before its use.

No separation of POS Data from the business network

Using the same business network to push updates to your POS data environments and devices can potentially put your data at risk. Here access to your network allows direct access to all your POS data. However, creating small pathways from the business network to the POS data environment can be a complicated task for small businesses. Hence, it’s often seen that they resort to practices like multi-factor authentication (MFA) from the business network to the POS device. Similar is the case with coffee shops and restaurants that provide Wi-Fi to their customers. Separating the POS device network from this public network is vital for ensuring data security.

THE FIX
  • Ensuring separation of business network and the sensitive POS data
  • Implementing MFA in case the separation of POS data from the network is not possible

Adopting systems running old operating systems

It’s a known fact that Microsoft only extends its support to its modern versions. So, if you are still running an old version of Windows that Microsoft no longer supports, you won’t receive frequent security patches to fix operating system issues. It means, once hackers are lucky enough to find an entry point into the software, your POS data will be compromised.

THE FIX
  • Ensuring that the system is running on an operating system backed by Microsoft
  • Patching the device at the earliest to ensure a secure system

Using fraudulent devices

Fraudulent device can compromise your data
Fraudulent device can compromise your data
It’s often difficult to predict how attackers will be trying to steal your data, especially when it’s capable of providing them with monetary gains. So, it’s often recommended to implement a reputed firm’s POS system to ensure that it’s actually performing the functions that it says it is performing. In most fraudulent POS systems, the user data is extracted while giving the user an impression that the transaction isn’t finalized due to their credit card or system issues.
THE FIX
  • Implementing POS systems of firms having a good reputation
  • Gather information about the system from its users to ensure its credibility and functioning

RAM scraping

RAM scraping, also known as memory scraping, is a technology used for extracting sensitive payment card data from the memory of the payment application process. This is implemented in specially crafted malware attacking payment applications by stealing cardholder information from memory.

RAM scraping is a technique used by hackers to rip credit card data directly from the POS device’s memory before it gets encrypted on the network.

THE FIX
  • Isolating the POS system from the business network can help reduce these kinds of attacks
  • Ensuring the communication of POS systems with known devices alone by tightening your company firewall

Most common POS malware families

Alina

Scans the system memory to check for the presence of credit card information that can be stolen

vSkimmer

Checks for the presence of specific removable drive and drops file containing stolen information into it, allowing offline data exfiltration

Dexter

Involves information theft involving stealing card information along with system information along with the installation of a keylogger into the affected system

FYSNA

Due to its complex communication array, the malware’s network traffic is made extremely difficult to analyze.

Decebel

Checks the presence of analysis tools in the machine before running to complicate its detection and analysis

BlackPOS

Adopts FTP to upload information into a single server allowing hackers to consolidate information from multiple servers

MDM for POS device management

MDM for POS device management
MDM for POS device management
With devices being the favorite end-point for hackers, ensuring efficient device management strategies have become essential for a safe online presence. An MDM is the best solution to this challenge. With Hexnode, it’s easy to push various restrictions selectively to the device and manage it accordingly. Some of the important features that simplify POS device management includes:
  • Simplified policy deployment to devices or groups giving the user the flexibility to model the policies as per the organizational needs
  • Single or multi-app kiosk modes restricting the device to the essential apps alone to function as self-service kiosk
  • Whitelisting the required apps as background apps which can only be accessed when the application locked in kiosk mode invokes them
  • Allowing the end-user to access some essential settings on the device while hiding the unnecessary ones with the peripheral settings
  • Web app kiosk enabling the device to be locked down to the whitelisted URLs alone.
  • Real-time device troubleshooting using remote view and control eliminating chances of downtime due to commuting
  • Easy deployment of enterprise apps and application management for simplified device setup
  • Pushing secure Wi-Fi networks to prevent intrusions
  • Location tracking and geofencing policies to keep track of device and impose location-specific policies
  • Enforcing strong passcode policies to check the use of default passwords and for ensuring periodic changes

Some POS best practices

Some of the best practices to prevent a POS system compromise include:

  • Utilizing real-time detection and PCI compliance monitoring tools for actively monitoring your POS system for changes
  • Installing antivirus software on the POS system
  • Adopting best of class end to end encryption around critical data like the cardholder’s information
  • Restricting the communication access to the POS system to the necessary hosts alone
  • Implementing the more secure chip-card enabled POS terminals
  • Creating awareness or training employees to detect and report cases of tampering at the earliest
  • Hiring security experts for enhanced data protection

What’s awaiting us?

The future
The future
Technology is never static. The saying “time and tide wait for none” seems tailored for this tech industry. With innovations overruling the previously established ones at unexpected rates, every industry is forced to change to suit the demands of an ever-changing consumer base. Some of the advancements we can expect to see in the industries using POS in the near future are as follows:
  • Image scanning of the items on a conveyor belt eliminating human errors and the need for double scanning
  • Self-checkout or robot-based checkouts for easier shopping
  • Replacing tags attached to garments with a biodegradable RFID transponder which gets deactivated on payment completion
  • Biometrics like a fingerprint, an eye scan or facial recognition for enhanced store operations and customer experience
  • Complete elimination of long checkout lines by the full-fledged implementation of one-click and contactless payments
  • Digital product tracking for self-checkout and sending automated digital receipts to the user upon purchases
Share
  •  
  •  
  •  
  •  
  •  
Alessia Forster

Writing is an art where anybody can be an artist. But who do you wanna be, yourself or Picasso, and that will make the real difference!

Share your thoughts