28 Feb, 2017
From a personal perspective, cyber-crime is and will continue to be a threat, and diligence is required to protect our personal information in all sorts of instances both online and offline. Businesses must be even more cautious as we have electronic systems such as POS systems that collect information about our customers, their spending habits, and sales history.
Have you been hit with an attempted cyber hack into your system?
The answer is more than likely YES, and usually on more than one occasion. Chances are that you were probably not aware what occurred and when. How do I know? I have been there, and it (the unknown?) is scary.
What are cyber-criminals looking for?
They are not looking for your customer’s names and addresses, they are not looking for spending habits and sales history, the cyber-criminal is looking for something far more valuable. They are after credit card details and skimming opportunities – that is the reason they are attacking POS systems.
For many years, H&L’s clients have asked us “why we are not able to swipe a credit card through the magnetic swipe located on the POS terminal”, which has always been reserved for loyalty options.
In Australia we are protected by banks that insist on Payment Card Industry (PCI) compliance. In simple terms the retention of credit card information on your POS, including a credit card number, is non-compliant.
So what is PCI compliance?
Payment Card Industry (PCI) Data Security Standards (DSS) are a set of security standard that outline Australian business requirements for security management of card data. This includes procedures, policies, networks, software design, architecture, and other security protective measures.
H&L has been quite vocal about the risks of payWave cards being maintained and stored behind the bar as security on open bar tabs; this process could open an opportunity for your venue staff to access credit card details.
The following simple rules should apply.
- The POS system must not store credit card or customer details on any of your POS Servers.
- The POS system must not store or record trading information relating to your Customers
- The POS system should not record any Consumer Loyalty data from your customers on your POS Servers
- The POS system must follow the PCI and DSS compliance standards, this means that no credit card details are used or recorded within your POS systems
- The customer’s credit card should not leave the customer's view, and should not be stored in an insecure location
In other countries and jurisdictions the POS system could have communicated with financial institutions, and therefore in many case retained critical data. This has never been the case in Australia with our POS systems, but the risk could still exist with cards leaving the security of the customer.
To reduce your customer's risk consider pre authorisation, mobile bar tab applications on smart phones, or an efficient mobile payment system that does not lock up and limit POS operation.
M: 0418 550 005