Many small businesses require upfront interactions with customers where the customers eventually engage in a financial transaction with a cashier or front desk attendant. Digital transformation of the economy has led to several reliable and accessible Point of Sale applications becoming available to even the smallest of organizations. Small business owners don’t have to go through the pain of configuring complex Linux backend systems to handle financial transactions. Configuration of Point-of-Sale applications such as Square and PayPal POS can be as simple as purchasing the application from the vendor and connecting it to your organization’s financial resources. Modern Point of Sale systems come in several different forms; some come as small, vendor specific terminals for easy movement, others are larger terminals with tablet like screens. Some are independent applications that must be installed on a mobile device like an iPad or Android phone. Regardless of what Point of Sale systems your organization has, there are several security precautions that should be taken. Because these systems process PII including customer information and financial data, their security is paramount. Daily business continuity often also relies on these systems being functional, making any sort of breach or loss of functionality a high impact risk for your organization.
Segment Point of Sale Systems from other Network Resources: Leaving POS systems on a large network segment with a variety of other devices and resources is risky. While it can be done, your risk increases by leaving these systems with sensitive data lumped in with resources such as workstations. Also, God forbid POS systems are put on an open network that outsiders also connect to. To be responsible with your POS systems, create a dedicated VLAN for the POS systems only. It may be tempting to lump the POS systems in with other small devices like IoT appliances, but this is probably one of the worst things you could do since IoT devices are inherently vulnerable. One independent VLAN for POS systems lowers the attack surface and ensures that the transactions and associated data are confined to their own bubble.
Implement Least Privilege Access Controls: Every Point-of-Sale system will have a slightly different method and interface for configuring permissions. It is imperative that you become well educated in the identity and access control methods of your POS vendor. Users of these systems should have the very least access necessary to perform their tasks. Cashiers and front desk receptionists should be allowed to perform transactions, and open/close drawers, nothing more and nothing less. Giving lower-level employees free reign over system functionality opens the doors for threats like embezzlement and destruction of system functionality.
Tighten Identity Management: In one of my first jobs, I was tasked with handling transactions on a Square system. During the hiring process, I was asked to sign up for a Square account with a personal email address and my own password. This is a security nightmare. Under no pretext should employees be allowed to create accounts on your organizational POS systems with a personal email address. This is ripe for data leakage and is a flaming violation of Zero Trust principles. Going even further, employees should not be permitted to use their workplace email addresses to create accounts. Unique email addresses should be created specifically for POS use. Employees should not be given access to the email inbox; they should only be given knowledge of the account on the POS system itself. Administration/management should have master control over the POS-designated email addresses, this way all alerts and notifications are in their hands, not the employees.
Implement On-boarding & Off-boarding Procedures: Another risk that comes with loose identity management on these systems is the prospect of employees using the applications after leaving the organization. Many of the mainstream POS vendors have mobile applications that allow transactions to be completed that way. If an employee knows their POS account information, they can simply download the app and login during the off season or after they have departed from the company. You can already see how this is a problem. A disgruntled employee could wreak havoc on the systems or make fraudulent transactions. To prevent this, it is imperative that you implement POS specific procedures to organizational on-boarding and off-boarding policies. As soon as an employee departs from your organization, there account should be disabled. Once a replacement is brought in, the account can be re-enabled with a password change for the account. If you run a seasonal business, all POS access should be disabled during the off-season.
Use Apple iPad OS Products: If your POS systems come in the form of an application installed on a host system, it is highly recommended to use Apple iPads as the host in question. Why is this? iPadOS will only run one application in memory at a time. As cyberattacks progress, we are seeing more instances of malware that resides in the memory of systems rather than in storage. Many operating systems process multiple applications in memory at the same time, meaning a memory-resident virus could take advantage of being run simultaneously with POS software. Using iPads is good protection against this risk.
Implement Application Whitelisting & MDM: If a device is used for POS, it should serve that purpose and only that purpose. Mobile Device Management should be implemented to lock down the system and prevent virtually all system configurations by the end user. Application whitelisting should be used to permit the POS application and nothing else. This way, the device is locked into that one app with no functionality for anything else. Things like updates and system management can be performed by the administrators of the device policies. Update Both POS Applications and Host Systems: As with any other business resource, updates and patches are paramount. However, it is important to be careful with updating schedules. There is nothing worse than opening shop and having a POS device undergo an update with a customer waiting in front of you. Turn on automatic updates for both the system and the app but ensure that you configure the updates on a compatible schedule. Most devices and programs have some sort of “Active Hours” setting that lets you specify the regular work hours of your organization. The systems will avoid installing updates during this time and instead will install after/before hours.