We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Five Ways Retailers and Restaurants Can Defend Against Point-of-Sale Cyber Attacks

Posted by Mac Nadel December 07, 2015

Malware. Spear phishing. SQL injection attacks. A few years ago, these terms may have sounded foreign to you. But today as a retailer or restaurateur, you’re probably well-versed in these common entry points for cyber-related assaults on your point-of-sale systems (POS).

In fact, most of the high-profile retail data breach losses, which have cost up to $160 million for a single loss, are related in some way to POS systems.

POS technology has changed over the years, from keeping inventory to providing alerts and specialized customer check outs. But along with advances comes new malware that targets POS systems to get payment card data and gain access to other corporate systems.

Here are five POS considerations every retailer and restaurant owner should be aware of:

  1. Move to end-to-end encryption (E2EE). If you haven’t already made the switch to E2EE, you will be more vulnerable to cyber-attacks. E2EE encrypts data from a sender, so only the recipient can access it accurately.
  2. Use a reliable tokenization service provider. If you outsource your payment processing to a service provider that offers a "tokenization option," make sure it has had considerable experience protecting cardholder data. Tokenization can better thwart hackers because it only uses a few actual digits from a payment card and additional alphanumeric characters.
  3. Be EMV compliant. The deadline has passed (October 1, 2015) to install the necessary hardware and software to support new, anti-fraud payment card technology in your stores — known as being EMV (Europay, MasterCard, Visa) compliant. If you are not EMV compliant, you, not the card issuer, will bear the burden for fraudulent payment transactions. And the new system should deliver a higher level of protection than the old magnetic strip cards.  
  4. Expect a shift to online fraud transactions. A rise in the growth of “card not present” fraud or rogue online transactions is expected as countries increasingly migrate to EMV payment technology.
  5. Test systems, maintain security on all data, and implement regular staff training on accessing all POS systems. It’s important to regularly monitor data security and train staff members who work with your data.  

POS systems aren’t the only cyber exposures you face, of course. Due to the high volume of staff turnover and potential access to passwords and data, employees themselves can be a catalyst for a breach. Similarly, retail chains can be targeted for health care and other personal data that they house if they offer online pharmacies or in-store pharmacy facilities.

But being aware of your cyber-related exposures is the first step toward managing the risk.

Mac Nadel

Mac Nadel is the Retail/Wholesale, Food & Beverage Industry Practice Leader (IPL) for the United States. Mac has been in various leadership roles within the Retail/Wholesale, Food & Beverage Industry Practice of Marsh for the past twelve years, and has been the National IPL since October 2009.