POS Security

Information Security

Ensuring the security of your data is a critical part of managing your point-of-sale system. Your system contains proprietary business information such as sales history, purchasing decisions, and future promotions. But more importantly, it also holds the key to your customers’ buying history, personal information, and even credit card numbers.  Your continued success depends on your ability to appropriately secure this information.

At a time when many vendors are passing the buck, Tulsa Cash Register wants to be your partner. We have invested heavily in technologies that are proven to increase the security of your systems.

Contact us at security@tulsacash.com today to find out what we can do to help protect your systems and what our competitors don’t want you to know.

The Nature of Security

Nobody likes security.  It’s an expense that we wouldn’t pay if we didn’t have to. We don’t carry keys to our homes and our cars because it feels good in our pockets. You don’t install an alarm system because it adds to the attraction of your home. Security is like insurance, something we pay for to minimize the cost of bad things happening.  You hope a tornado never hits your home, but you prepare for it just in case. It’s irresponsible not to.

Your computer systems need to be protected in the same way you protect other investments, but threats to your information differ considerably from the threats posed by nature. The forces of nature are not malevolent or greedy. They do not seek us out or target specific individuals. Unlike those natural forces, our attackers are intelligent and adaptable; they are creative and persistent. 

Ultimately, security is not an event or a product.  There is nothing you can purchase and nothing you can do that will make you permanently secure. Instead, security has to be a lifestyle. You lock your home every day without thinking about it. You look both ways before crossing a street. When someone makes you an incredible offer you ask questions.  Those are just simple examples of alterations to your daily life made for the sake of security.  Prior to owning a home you never cared about termites, but once that title was in your name you understood the risk associated.

Owning a point-of-sale system inherently comes with risk. The key to success is to understand those risks and make appropriate adjustments to minimize it. 

pci-dss.jpgPCI: Payment Card Industry - Data Security Standard

In 2004 the major payment card brands (VISA, MasterCard, American Express, Discover, and JCB) consolidated their efforts towards information security and released the Payment Card Industry Data Security Standard, commonly called PCI.  The PCI DSS is a comprehensive standard comprised of 12 primary requirements broken into 212 specific sub-requirements. Any merchant who accepts credit cards is contractually obligated to meet every specification of the standard.  Reaching compliance is a considerable task for large merchants, but is no less demanding for very small merchants. Unfortunately there are no reductions in the requirements for smaller merchants though there is a considerable break in the requirements for validating compliance to the payment processor.

Our promise to you is that we will do everything in our power to setup your system in such a way that it can be adequately protected and that we will endeavor to educate you on the security of your system.  Additionally, we will NOT sell you a system, or upgrade any existing system, which cannot meet the most basic PCI guidelines.

Maintaining a secure system and being PCI compliant are jobs that ultimately only you can do. However there are several components of PCI that we believe are absolutely necessary to even have a chance.  We require that every new install or upgrade have the following:

  1. checks.jpgAn Approved Payment Application:  The organizing body in charge of PCI maintains a list of payment applications which have been certified as being properly developed. While these applications are not fool-proof, they are believe to be secure if setup in a correct manner.
  2. A Commercial-grade Router/Firewall:  Low-end home-use routers are very cheap, but do not have the appropriate functionality necessary to adequately protect a business network.  In addition to a commercial firewall with stateful packet inspection and access rule-based configuration, we strongly recommend devices that contain built-in anti-virus and intrusion prevention systems (IPS).
  3. End-point Anti-virus:  While many modern attacks can evade anti-virus, this is one of the easiest ways to thwart low-hanging vulnerabilities. We require that, at a minimum, the point-of-sale server have AV installed with an active subscription. Ideally, every system on the network should have AV installed.
  4. Segmented Networks:  In cases where the point-of-sale system is to share a network with other devices, we insist that the network be appropriately segmented to deny all traffic between them. In many cases, this means that a manager’s PC be segmented off so that if compromised it can’t attack the POS network.  Other examples of this are the inclusion of wireless networks or camera systems.
  5. Two-Factor Remote Access:  When remote-access is necessary, we require that the system use an application that requires two factors of authentication to connect. This means that in addition to a password, you’ll have to have a key-fob or a smart-phone with you to gain access. This ensures that an attacker who steals your password still can’t access your systems.

Managed Security Services

We want to help you protect your investment. We have developed several services designed around proven technologies with a goal of taking the hard work away from you.  See our Managed Services page for more details on how we can assist, or contact one of our Sales Associate today!  (like to managed services page)

Staff

Tulsa Cash Register is the only POS dealer in the state to employ a highly-trained security professional tasked with both improving our systems and assisting our customers. This further demonstrates our commitment to the security of our customers and their data.

Nathan Sweaney holds GIAC certifications in Network Penetration Testing (GPEN), Web Application Penetration Testing (GWAPT), and Assessing Wireless Networks (GAWN) and scored in the top 10% on each certification. 


Useful Links

Payment Card Industry Security Standards
https://www.pcisecuritystandards.org/security_standards/index.php 

RSPA: Project PCI
http://www.gorspa.org/i4a/pages/index.cfm?pageid=3329 

VISA Cardholder Information Security Program:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html 

Mercury Payment Systems PCI Partner Program
http://go.mercurypay.com/pcipartner/home.htm

Micros Security Information & Best Practices
http://www.micros.com/ServicesAndSupport/InformationSecurity/