By: Tonic POS

The cyber threat landscape is constantly changing, and those of us in the tech industry experience these changes first-hand as we innovate and navigate the complexities of data security. For resellers managing POS systems, understanding and implementing top-tier security measures is essential to protecting merchants from devastating cyberattacks. With scammers, hackers, and breaches becoming more sophisticated, it’s crucial that businesses take a proactive approach to security. Let’s explore actionable steps merchants and VARs can take to bolster their defenses against both technological vulnerabilities and complex social engineering tactics, including emerging AI-driven scams. 

The Target Breach: A Case Study in Network Vulnerabilities
In 2013, Target Corporation experienced a massive data breach that compromised the personal and credit card information of over 70 million customers. Cybercriminals infiltrated Target’s network through a third-party HVAC vendor, exploiting weak network security. They infiltrated the vendor’s system using phishing emails and gained access to Target’s network through stolen credentials. Once inside, they deployed malware to extract customer data from their point-of-sale systems. Target estimated the breach had cost the company $162 million in expenses after insurance reimbursement. This incident highlights the critical importance of securing all access points within a network, especially those connected to POS systems. A single weak link in network security could mean the difference between business as usual and an expensive disaster. 

It’s important to note, however, that modern POS systems have evolved significantly since 2013. Most are now considered “out-of-scope,” meaning they no longer pass credit card data through the system. Instead, they communicate directly with encrypted payment terminals that handle sensitive information. This added layer of protection came in 2015 when EMV was introduced to reduce the risk of breaches through a POS system.

Modern Cyber Threats
The image of a lone hacker breaking into a system is outdated. The real danger today is social engineering. Phishing emails and calls have become increasingly advanced, often impersonating trusted entities to deceive individuals into revealing sensitive information. More alarming, advancements in artificial intelligence have enabled the creation of deepfake audio and video, allowing scammers to clone voices with minimal audio samples.

Best Practices for Merchants and VARs
To mitigate these evolving threats, merchants and VARs should implement comprehensive security strategies:

1. Adhering to PCI DSS Requirements: The Payment Card Industry Data Security Standard (PCI DSS) contains 12 key requirements designed to safeguard cardholder data. These requirements include maintaining firewalls, encrypting data transmissions, and regularly updating anti-virus software. To become compliant and start business operations quickly, merchants often rush through their PCI DSS questionnaire. However, this can be a costly error. In the event of a data breach, an investigation will be launched, and the merchant will be held accountable for all the requirements they attested to in the questionnaire.
2. Implement Multi-Factor Authentication (MFA): Requiring multiple forms of verification can significantly reduce the risk of unauthorized access, even if credentials are compromised. 
3. Conduct Regular Security Training: Educate employees about recognizing phishing attempts, the dangers of social engineering, and the latest scam tactics. 
4. Establish Incident Response Plans: Develop and regularly update plans to respond to data breaches or security incidents. A key resource for mitigating losses is www.ic3.gov, a federal fusion center for internet crime complaints. Reporting fraud to IC3 within 24 hours increases the chance of fund recovery by 88%.
5. Monitor and Test Networks: Regularly monitor network activity for unusual patterns and conduct penetration testing to identify and address vulnerabilities.

Proactive Security Equals Business Success 
By learning from past incidents like the Target breach and staying informed about emerging threats such as AI-driven scams, businesses can implement robust security measures to protect their data and maintain customer trust. 

In an era where scams are becoming more advanced, staying informed is the best defense. How prepared is your business?