How To Identify And Fix Your POS System’s Security Flaws

No Point Of Sale System Is 100% Secure

Credit card payment
© Depositphotos – Anatoliy Babiy
Whether you’re using a countertop terminal, a virtual terminal, or an online payment gateway to accept credit cards, your payment system is at risk of a hack. In the same way that your storefront or your home is never fully protected against burglary, your point-of-sale system will always have minor vulnerabilities that a savvy hacker can exploit. Of course, this doesn’t mean you should just give up and wait for a scammer to steal your customers’ credit card information. No matter what kinds of equipment or software you use, there are proactive steps you can take to shore up your POS system’s defenses and deter fraudsters.

The PCI Security Standards Council divides all point-of-sale systems into 14 different categories. You’ve probably never heard of these categories before, and you will never need to know them off the top of your head. But it helps to know how your system is classified by the council, because there are specific PCI recommendations for each point-of-sale environment. Below, we’ve provided a list of all 14 POS system types. If you’re shopping for a new point-of-sale system, or if you already have one, click on any POS system to see a description of that system’s security vulnerabilities and PCI recommendations. If you’re not sure which category applies to your POS system, feel free to browse through the list until you find the category that fits.

Payment System Types

  1. Dial-up payment terminal. Payments sent via phone line.
  2. Dial-up payment terminal and Internet-connected electronic cash register. Payments sent via phone line.
  3. Payment terminal connected to electronic cash register. Payments sent via Internet by electronic cash register.
  4. Encrypting payment terminal connected to electronic cash register. Payment sent via Internet by electronic cash register.
  5. Encrypting payment terminal and electronic cash register connected to Internet. Payments sent via Internet.
  6. Encrypting payment terminal and electronic cash register share non-card data (semi-integrated). Payments sent via Internet by payment terminal.
  7. Integrated payment terminal and payment middleware share card data. Payments send via Internet.
  8. Encrypting wireless payment terminal (“Pay-at-Table”) with integrated payment terminal and “middleware.” Payments sent via Internet.
  9. Payment terminal connected to electronic cash register, with additional connected equipment. Payments sent via Internet.
  10. E-commerce merchant with fully outsourced payment page. Payments sent via Internet by third-party provider.
  11. E-commerce merchant accepts payments on own payment page and manages own website. Payments sent via Internet by merchant.
  12. Encrypting secure card reader and mobile payment terminal. Payments sent via cellular network only.
  13. Encrypting secure card reader and mobile payment terminal. Payments sent via cellular network or Wi-Fi.
  14. Virtual payment terminal accessed via merchant Internet browser. Payments sent via Internet.

1. Dial-up payment terminal. Payments sent via phone line.

This system consists of a countertop credit card terminal plugged into your location’s phone line, often connected to a paper receipt printer.

This system’s vulnerabilities include hardware tampering, hardware replacement, and paper data theft. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Paper data theft occurs when a scammer steals the information that the terminal prints out after each transaction or shift.

To avoid these possible breaches, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, and destroy all non-essential paper receipts. If possible, try not to keep any paper materials containing transaction information at your location at all.

Click to return to menu.

2. Dial-up payment terminal and Internet-connected electronic cash register. Payments sent via phone line.

This system consists of a countertop credit card terminal plugged into your location’s phone line, often connected to a paper receipt printer. It also includes an electronic cash register that connects to the Internet but does not itself transmit payment information to a bank.

This system’s vulnerabilities include hardware tampering, hardware replacement, and paper data theft. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Paper data theft occurs when a scammer steals the information that the terminal prints out after each transaction or shift. The electronic cash register in this system does not transmit or store credit card information and therefore is not considered an at-risk device.

To avoid these possible breaches, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, and destroy all non-essential paper receipts. If possible, try not to keep any paper materials containing transaction information at your location at all.

Click to return to menu.

3. Payment terminal connected to electronic cash register. Payments sent via Internet by electronic cash register.

This system consists of a countertop credit card terminal connected to an electronic cash register, which transmits payment data to the bank via an Internet connection. It may also include a receipt printer that produces paper records of transactions.

This system’s vulnerabilities include hardware tampering, hardware replacement, internet-transmitted malware, and paper data theft. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Malware can be downloaded onto the internet-connected cash register through the register’s internet browser or as a result of weak password protection on the location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. Paper data theft occurs when a scammer steals the information that the terminal prints out after each transaction or shift.

To avoid breaches through your terminals, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, and destroy all non-essential paper receipts. If possible, try not to keep any paper materials containing transaction information at your location at all. To avoid breaches to your internet-enabled cash register, be sure to install a firewall for your internet connection, keep your register’s POS software up to date, maintain strong passwords, switch passwords out frequently, and restrict internet browsing on any devices connected to the register.

Note: any version of this POS system that uses a magnetic stripe card reader instead of an EMV-enabled card reader is considered “higher” risk by the PCI council.

Click to return to menu.

4. Encrypting payment terminal connected to electronic cash register. Payment sent via Internet by electronic cash register.

This system consists of a countertop credit card terminal that encrypts card data at the moment the card is swiped or inserted. This terminal transmits encrypted payment data to a connected electronic cash register, which then passes the encrypted payment data to the bank via an Internet connection. It may also include a receipt printer that produces paper records of transactions.

This system’s vulnerabilities include hardware tampering, hardware replacement, and paper data theft. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Paper data theft occurs when a scammer steals the information that the terminal prints out after each transaction or shift.

To avoid breaches, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, and destroy all non-essential paper receipts. If possible, try not to keep any paper materials containing transaction information at your location at all.

Click to return to menu.

5. Encrypting payment terminal and electronic cash register connected to Internet. Payments sent via Internet by payment terminal.

This system consists of a countertop credit card terminal that encrypts card data at the moment the card is swiped or inserted and then transmits the encrypted payment data to the bank via the internet. This system also includes an electronic cash register that connects to the internet but does not accept credit card payments. The payment terminal and cash register are independently connected to the internet, and are not connected to each other. No other third-party devices are connected to the payment system. This system may also include a receipt printer that produces paper records of transactions.

This system’s vulnerabilities include hardware tampering, hardware replacement, internet-transmitted malware, and paper data theft. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Malware can be downloaded onto the Internet-connected payment terminal through the terminal’s internet browser or as a result of weak password protection on the location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. Paper data theft occurs when a scammer steals the information that the terminal prints out after each transaction or shift.

To avoid breaches through your terminals, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, destroy all non-essential paper receipts, be sure to install a firewall for your internet connection, keep your terminal’s POS software up to date, maintain strong passwords, switch passwords out frequently, and restrict internet browsing on the terminal or any devices connected to the terminal. If possible, try not to keep any paper materials containing transaction information at your location at all.

Click to return to menu.

6. Encrypting payment terminal and electronic cash register share non-card data (semi-integrated). Payments sent via Internet by payment terminal.


This system consists of a countertop credit card terminal that encrypts card data at the moment the card is swiped or inserted and then transmits the encrypted payment data to the bank via the internet. This system also includes an electronic cash register that connects to the internet but does not accept credit card payments. The payment terminal and cash register are connected to each other but do not transmit any payment card data between themselves. No other third-party devices are connected to the payment system. This system may also include a receipt printer that produces paper records of transactions.

This system’s vulnerabilities include hardware tampering, hardware replacement, internet-transmitted malware, card data incorrectly transmitted between the two devices, and paper data theft. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Malware can be downloaded onto the Internet-connected payment terminal through the terminal’s internet browser or as a result of weak password protection on the location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. Card data can be incorrectly passed between the two devices as the result of improper integration or installation. Paper data theft occurs when a scammer steals the information that the terminal prints out after each transaction or shift.

To avoid breaches through your internet-connected terminals, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, destroy all non-essential paper receipts, be sure to install a firewall for your internet connection, keep your terminal’s POS software up to date, maintain strong passwords, switch passwords out frequently, ensure that sensitive data is not being transmitted between your terminal and cash register, and restrict internet browsing on the terminal or any devices connected to the terminal. If possible, try not to keep any paper materials containing transaction information at your location at all.

Click to return to menu.

7. Integrated payment terminal and payment middleware share card data. Payments send via Internet.

This system consists of a single combined payment terminal and electronic cash register that sends payment data to the bank via an internet connection. Staff members can swipe magnetic stripe cards through a card reader, but there is no EMV reader or separate PIN entry device. The integrated terminal runs payment processing software that is used to process each transaction. No other third-party devices are connected to the payment system.

This system’s vulnerabilities include hardware tampering, hardware replacement, internet-transmitted malware, and remote access vulnerabilities. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Malware can be downloaded onto the Internet-connected payment terminal through the terminal’s internet browser or as a result of weak password protection on the location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. “Remote access” refers to the ability for your merchant services provider to connect to your device via the internet from an off-site location in order to provide customer support. Hackers can exploit poorly configured or unmonitored remote access connections.

To avoid breaches through your internet-connected terminals, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, be sure to install a firewall for your internet connection, keep your terminal’s POS software up to date, maintain strong passwords, switch passwords out frequently, ensure that sensitive data is not being transmitted between your terminal and cash register, restrict internet browsing on the terminal or any devices connected to the terminal, and only use remote access with caution and as a last resort.

Note: this system is considered “higher” risk by the PCI council.

Click to return to menu.

8. Encrypting wireless payment terminal (“Pay-at-Table”) with integrated payment terminal and “middleware.” Payments sent via Internet.

Common at restaurants, this system consists of a single combined payment terminal and electronic cash register that sends payment data to the bank via an internet connection, but the integrated payment terminal’s magnetic card reader in this case has been disabled. Instead, card payments are accepted “at the table” via a wireless credit card processing terminal with a built-in magnetic stripe or EMV chip reader. The integrated payment terminal runs also payment processing software that is used to process each transaction. No other third-party devices are connected to the payment system.

This system’s vulnerabilities include hardware tampering, hardware replacement, internet-transmitted malware, and remote access vulnerabilities. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Malware can be downloaded onto the Internet-connected payment terminal through the terminal’s internet browser or as a result of weak password protection on the location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. “Remote access” refers to the ability for your merchant services provider to connect to your device via the internet from an off-site location in order to provide customer support. Hackers can exploit poorly configured or unmonitored remote access connections.

To avoid breaches through your internet-connected terminals, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, be sure to install a firewall for your internet connection, keep your terminal’s POS software up to date, maintain strong passwords, switch passwords out frequently, ensure that sensitive data is not being transmitted between your terminal and cash register, restrict internet browsing on the terminal or any devices connected to the terminal, and only use remote access with caution and as a last resort.

Click to return to menu.

9. Payment terminal connected to electronic cash register, with additional connected equipment. Payments sent via Internet.

This system consists of a payment terminal that transmits card data to banks via the internet and also connects to an electronic cash register. The system also contains any number of additional electronic devices connected to the same local network, such as desktop computers, cameras, and IP phones. These devices may or may not connect to the actual POS equipment, but they definitely share an internet connection with it running through the same router and firewall.

This system’s vulnerabilities include hardware tampering, hardware replacement, internet-transmitted malware, remote access vulnerabilities, and unsecured devices connected to the network. Hardware tampering typically involves a hacker attaching a small device known as a “skimmer” to your terminal in order to collect card information. Hardware replacement involves secretly swapping your terminal with another identical terminal that has malicious code installed on it. Malware can be downloaded onto the Internet-connected payment terminal through the terminal’s internet browser or as a result of weak password protection on the location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. “Remote access” refers to the ability for your merchant services provider to connect to your device via the internet from an off-site location in order to provide customer support. Hackers can exploit poorly configured or unmonitored remote access connections. Unsecured devices connected to the network (including the router itself) provide another way for hackers to access the payment environment.

To avoid breaches through this system, you should periodically inspect your payment terminals for any tampering, deal directly with your equipment provider when having equipment switched out or serviced, be sure to install a firewall for your internet connection, keep your terminal’s POS software up to date, maintain strong passwords, switch passwords out frequently, ensure that sensitive data is not being transmitted between your terminal and cash register, restrict internet browsing on the terminal or any devices connected to the terminal, secure all third-party electronic devices connected to the network, and only use remote access with caution and as a last resort.

Note: this system is considered “higher” risk by the PCI council.

Click to return to menu.

10. E-commerce merchant with fully outsourced payment page. Payments sent via Internet by third-party provider.

This e-commerce payment environment consists of a business website that advertises products but does not process payments. After selecting the items they wish to purchase, customers are sent to an off-site page exclusively hosted by a third party payment processor. The checkout process is completely outsourced and the merchant has no access to card data.

This system’s vulnerabilities include the hacking of the merchant’s website and the hacking of the third-party processor’s systems. Your website can be hacked if it maintains poor password protection or if you download malware that allows hackers to infiltrate your computer. Hackers can then track visitors to your website and record their payment information as they enter it. A third-party payment processor’s systems can be hacked via similar means.

To avoid any breaches to this system, be sure to maintain strong passwords, switch passwords frequently, keep your computer’s software updated, browse the internet with caution on your work computer, run anti-virus software on your computer, and install security patches when they are available from your processor. The hacking of your third-party payment processor’s systems is largely out of your control.

Click to return to menu.

11. E-commerce merchant accepts payments on own payment page and manages own website. Payments sent via Internet by merchant.

This e-commerce payment environment consists of a business website that advertises products and processes payments from customers. The merchant controls both the online storefront and at least some elements of the payment page. The payment page may be hosted by the merchant or by the merchant’s processor, but it isn’t fully managed by the third-party processor. This means that customers will enter their payment information into a page that is controlled by the merchant or hosted on the merchant’s website.

This system’s vulnerabilities include the hacking of the merchant’s website and the hacking of the third-party processor’s systems. It is more vulnerable than completely outsourcing the payment process to a third-party processor because any device or piece of software on your system creates an access point for hackers to steal data. Your website can be hacked if it maintains poor password protection or if you download malware that allows hackers to infiltrate your computer. Another common method for hacking merchant websites is called SQL injection. Once a website is compromised, hackers can track its visitors and record their payment information as they enter it. A third-party payment processor’s systems can be hacked via similar means.

To avoid breaches to this system, be sure to maintain strong passwords, switch passwords frequently, keep your computer’s software updated, browse the internet with caution on your work computer, run anti-virus software on your computer, avoid storing payment information on your system, limit remote access, and install security patches when they are available from your processor. The hacking of your third-party payment processor’s systems is largely out of your control.

Note: this system is considered “higher” risk by the PCI council.

Click to return to menu.

12. Encrypting secure card reader and mobile payment terminal. Payments sent via cellular network only.

Most common among merchants selling at non-fixed locations, this mobile payment system consists of a mobile device and connected credit card reader that exclusively transmits payment data to the bank via a cellular data connection. This system does not transmit payment data via Wi-Fi. The card readers in this system encrypt the card information before it enters the mobile device, meaning that the device does not store or transmit raw credit card data. Additionally, the merchant does not have the ability to manually enter credit card data. There may also be a PIN entry device that connects wirelessly or directly to the mobile device.

This system’s vulnerabilities include the hacking of the mobile device, the downloading of malicious apps to the device, and hardware tampering. Your mobile device can be hacked if you download malware using the device’s browser or if a hacker physically installs malware onto the device. Once installed, this malware enables the hacker to steal card or PIN data that is entered by any method other than the encrypted readers. Malicious apps may be downloaded to the device through the app store, after which they would grant hackers access to any unencrypted payment data. Hardware tampering occurs when a scammer modifies or switches out your existing hardware in order to install a “skimmer” on the device that will collect and relay card data to the scammer.

To avoid breaches to this system be sure to periodically inspect your card readers and mobile devices for signs of tampering, use PCI-approved PIN entry devices and card readers, only enter card information using card readers with built-in encryption, use strong password protection on your device, be highly selective about which apps you install on the device, install security patches whenever they’re available, and run anti-virus software on your device.

Click to return to menu.

13. Encrypting secure card reader and mobile payment terminal. Payments sent via cellular network or Wi-Fi.

This mobile payment system consists of a mobile device and connected credit card reader that transmits payment data to the bank via either a cellular data network or a Wi-Fi internet connection. The card readers in this system encrypt the card information before it enters the mobile device, meaning that the device does not store or transmit raw credit card data. Additionally, the merchant may or may not have the ability to manually enter credit card data. There may also be a PIN entry device that connects wirelessly or directly to the mobile device.

This system’s vulnerabilities include the hacking of the mobile device, the downloading of malicious apps to the device, hardware tampering, and an unsecured internet connection. Your mobile device can be hacked if you download malware using the device’s browser or if a hacker physically installs malware onto the device. Once installed, this malware enables the hacker to steal card or PIN data that is entered by any method other than the encrypted readers. Malicious apps may be downloaded to the device through the app store, after which they would grant hackers access to any unencrypted payment data. Hardware tampering occurs when a scammer modifies or switches out your existing hardware in order to install a “skimmer” on the device that will collect and relay card data to the scammer. An unsecured, public internet connection with no firewall or password protection can enable a hacker to gain access to any device using that connection.

To avoid breaches to this system be sure to periodically inspect your card readers and mobile devices for signs of tampering, use PCI-approved PIN entry devices and card readers, only enter card information using card readers with built-in encryption, use strong password protection on your device, be highly selective about which apps you install on the device, install security patches whenever they’re available, run anti-virus software on your device, and enable password protection and a firewall on the Wi-Fi connection you use.

Click to return to menu.

14. Virtual payment terminal accessed via merchant Internet browser. Payments sent via Internet.

This payment system consists of a virtual terminal running on a merchant’s PC or mobile device. A virtual terminal is a piece of software or a website that securely imitates a conventional credit card terminal, enabling a merchant to manually enter credit card data and transmit it to the bank via the internet. The PCI council does not believe that this system should include an attached card swiper or EMV reader, but some virtual terminals do support connected card readers.

This system’s vulnerabilities include internet-transmitted malware and an unsecured internet connection. Malware can be downloaded onto your PC or mobile device through the device’s internet browser or as a result of weak password protection on your location’s internet connection, insufficient firewall software to protect the location’s internet connection, or outdated payment processing software with known exploits. If your Wi-Fi connection is not secured with a password and a firewall, a hacker could access your virtual terminal through that network.

To avoid breaches to this system, be sure to use strong passwords, change passwords frequently, run anti-virus software on your computer, exercise caution when browsing the internet on your computer, keep your computer’s software updated, and secure your Wi-Fi connection with a firewall and password protection.

Click to return to menu.

 

Every Payment Environment Is Different

Whether or not your payment processing system falls neatly into one of these 14 categories, the challenges of securing your business environment will be specific to your location, your technology, your employees, and your industry. These guidelines are merely intended to give you a starting point for understanding your potential exposure to hackers. Always be sure to voice any security concerns you may have to your merchant account provider, as it is in their interest to prevent a breach to your system as well.

Source consulted: https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems.pdf.

Thank you for reading my review. I hope that it has helped you with your research.

Why I'm Qualified to Write About Credit Card Processing

I'm a former credit card processing sales director who left the industry to start my own a small business. From the time that I starting working in the merchant services industry to when I left to write about it, I've been on the pulse of payments for nearly 15 years. It didn't seem fair to keep this insider knowledge to myself, so built this website to help small business owners research which service providers to use and how to save money on rates and fees. I've reviewed hundreds of companies, read thousands of user reviews, and learned the pricing tricks of every provider. If you have questions about credit card processing, you can find the answers here. I can help you save money with your current merchant account or help you find a new one. Message me here to get started.

Get started right away! I've help businesses save $1,156,834 this year alone! Submit a recent statement and I'll take a look at it for free.

Submit a Statement

  • Accepted file types: jpg, png, pdf, xls, xlsx.

No Reviews Yet Leave Your Review Below

Leave a Review

Your email address will not be published. Required fields are marked *

Please do not use profanity or ALL CAPITAL LETTERS in your review. Reviews must provide a detailed account of your experience. By submitting a review or comment to CPO, you are agreeing to our Comment Policy.