Insecure retail systems could put customers at risk

Von Paul Brislen

While retail outlets are gearing up for the introduction of a new credit card security standard they may not have considered the point of sale technology they already use and may find they have bigger problems.

Credit card firms are rolling out new smart cards using the EMV standard adopted world wide. However, point of sale software specialist Advance Retail warns that many retailers are forgetting about the rest of their systems.

"Some companies still use separate Eftpos and POS systems. While they"re upgrading their Eftpos terminals to cope, what about the rest?" asks sales and marketing director Mark McGeachen.

McGeachen points to companies, such as franchisee petrol stations, that still use relatively old systems and need to swipe customers" cards twice.

"They do it once for the sale and once for the POS system and they need to balance the two at the end of each day. That"s inefficient but it"s also potentially a security issue." McGeachen says these older POS systems are often not secured physically, don"t have up-to-date encryption capabilities and are often used to store captured data for years at a time.

"They have a requirement to store that data but nobody"s telling them about long-term archiving or secure storage. All anybody"s saying is "get ready for EMV and you"ll be fine". That"s just not enough."

Personal data thefts seem to have reached fever pitch with millions of records being exposed to the internet or actively stolen all around the world. Regardless of whether this is a new activity or whether companies have always been this lax but have only recently begun reporting the losses, McGeachen says it"s a huge wake-up call to the industry.

"The banks won"t take kindly to a company that loses customer data from an unsecured server. The retailer will find they"re more than likely held liable should something go missing, particularly if fraud occurs as a consequence."

Microsoft security program manager Jesper Johansson agrees. Johansson, who will be speaking at this year"s TechEd conference in August, agrees, saying security is often treated as something of an after thought when in fact it should be integrated into the system from the onset. Johansson says security systems are rarely designed with real people in mind and that retail systems are potentially a major security risk.

"Look at these new credit cards that come to you with your signature embossed on them. That"s not helping you, the consumer, that"s trying to give you a false sense of security on the cheap." Johansson says photo ID embossed onto the card is a good idea but that nine times out of ten it"s not the end user who is at fault with data theft but the back-end system itself.

Controversially, Johansson has been telling companies that staff should be allowed to write down passwords.

"Yeah, that"s got me quite some fame at the moment." Johansson says that simply encourages weak passwords and the threat is not from someone finding the piece of paper and using it but from an external source hacking into the system.