The security of customer data, especially payment information, is a primary concern for retailers and restaurateurs. A January 2017 report by the Identity Theft Resource Center and CyberScout indicated that the number of data breaches in the U.S. reached a record high in 2016, with a 40% increase over 2015. The business sector accounted for 45.2% of the overall total, well ahead of the other sectors tracked (healthcare/medical, education, government/military, and banking/credit/financial). Companies hit so far this year include Kmart and Chipotle, both of which had customers’ sensitive financial information, such as credit card numbers, stolen by hackers.
Failure to protect customers’ payment data can have disastrous consequences for the merchant as well as customers. Credit card companies can issue fines based on the extent of the breach and the number of compromised records and can hold merchants responsible for any fraudulent charges that result from the breach. Perhaps even more damaging than this financial loss is the loss of the merchant’s reputation. If consumers can’t trust a company to keep their personal data secure, they’ll take their business elsewhere.
There are solutions that can help companies prevent data breaches and make themselves less vulnerable to attacks. An out-of-scope (OOS) payment interface, an embedded operating system, and encryption are good ways to provide extra layers of data protection.
What is OOS?
An OOS payment interface is one in which cardholder data never comes into contact with the point of sale (POS) system. In the OOS model, the POS sends a transaction total to the card-reading device, which communicates directly with the card processor and sends only the authorization information back to the POS.
How Does OOS Protect Against Data Breaches?
When a POS system receives or stores payment information during transactions, it’s a more tempting target for hackers. An OOS solution removes the POS from the cardholder data flow. The most sensitive information, such as account numbers and internal verification codes, never enters the POS. Hackers can’t steal what isn’t there
What is an Embedded Operating System?
With an embedded operating system, POS devices are dedicated exclusively to handling POS tasks — as opposed to having a general-use PC or tablet that is capable of running other programs besides the POS software, such as internet browsers and email. An embedded operating system limits employees’ activities to work-related POS functions.
How Does an Embedded Operating System Increase Data Protection?
Since POS devices with embedded operating systems are designed for specific and limited purposes, they do not have a file manager; so files cannot be uploaded or downloaded. Thieves therefore cannot extract payment information or cardholder data. And since employees will not be using the device to check e-mail or surf the internet, they cannot deliberately or accidentally click a link or fall prey to a phishing email that would download a hacker’s virus or malware into the system. The most recent Kmart breach was caused by “a virus-like computer code undetectable by current antivirus systems.” Embedded operating systems eliminate the need for (and cost of) antivirus software and provide additional data security.
While both of these methods are necessary for protecting data within the store, encryption is necessary for protecting data traveling to and from the processor. Encryption is the process of encoding data so that only authorized parties can access it. This ensures that any data retrieved by hackers will be useless.
Data breaches pose threats to consumers ranging from cloned credit cards to identity theft. For merchants, the threats include stiff financial penalties and a tarnished reputation. OOS payment solutions and embedded operating systems offer ways to protect your bottom line by protecting your customers.