Point-of-sale software has become a must-have item for every retail business, restaurant, or safe. Up-to-date sales solutions have gone further than just processing payments, as they now structure and automate the whole cycle of your supply chain. And with custom POS development, your opportunities to create self-sufficient and powerful solutions are limitless.
At the same time, despite whatever capacities the development may offer, you should still pay attention to the basics, namely to POS security and compliance. At its core, any POS solution is designed to work with considerable volumes of sensitive data, whether it belongs to the company or its clients. Overlooking security measures and corresponding compliance may lead to severe financial and reputational losses for the organization.
GBKSOFT has completed several POS development projects. In this article, we’ve collected the main insights on point-of-sale security and described the main measures we take to ensure POS security and POS data protection.
Why Should You Pay Attention to Data Security in POS Software Development?
POS security is a valid point to consider at every stage of POS development. As a payment processing and data storage software, it gains access to personal identifiable information (PII), such as clients’ and employees’ full names, credit card numbers, phone numbers, ID numbers, emails, social security numbers, etc.
Insufficient security measures may jeopardize the safety of such types of data. POS systems are known and easy targets for hackers, as this software is quite popular among various types of merchants and always has value hackers may take advantage of. Traditional POS systems are vulnerable and succumb to malware attacks, when malware such as Dexter, vSkimmer, Backoff, PoSeidon, or UDPoS infiltrate devices, track, and copy sensitive data (mainly credit card information), and transfer it to scammers’ command centers.
POS security is often underplayed by POS vendors, which leads to data breach cases that regularly appear on the news. Unfortunately, cybersecurity is typically overshadowed by other development concerns, as companies tend to only take it into account when they encounter the hacks themselves.
Such an attitude is counterproductive and is bound to lead to major detrimental problems. One of the latest exemplary cases has happened with Dickey’s, the US barbecue restaurant chain. Through a POS-targeted attack, the intruders got access to the credit card information of 3 million of the restaurant chains’ customers and later posted the information online for public access. As a result, the company was obligated to pay $2.35 million dollars to settle a class-action lawsuit that was filed against them in the aftermath.
So, unreliable POS data protection can undermine all efforts in POS development. Even the most innovative and demanded system won’t survive overturning customers’ PII and will lose any credibility in the eyes of current and potential customers.
Hence, if you plan on starting POS development or already are in the middle of such a project, be sure to pay attention to security and compliance considerations and choose vendors who include POS security requirements in their scope of work.
Plan on developing a POS security solution?
We will be able to ensure a reliable secure development framework for your software.
PCI DSS Compliance for POS Security
The industry itself created and implemented standards that should enhance the security of consumers’ credit card data. PCI DSS is the main standard for any business that accepts credit card payments.
What is PCI DSS Compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It first appeared when major card payment processing companies joined their efforts to create a unified standard to push merchants to guarantee a baseline sufficient level of data protection.
It’s important to note that PCI isn’t a law, but a security standard. However, it is mandatory for businesses around the world. Non-compliance may lead to severe fines by card issuers or increased transaction fees by banks. And in case of data breaches, you may be charged with additional regulatory fines.
There are four levels of PCI, each of them having different procedures for reporting compliance. The levels depend on the volume of payment card processing within a year. For example, the first level includes enterprises with more than 6 million transactions per year and requires an external audit by a licensed assessor. On the other hand, businesses on levels 2-4 with less than 6 million transactions annually are obligated to fill out self-assessment questionnaires.
What are the PCI Requirements for POS security?
Apart from PCI DSS compliance that every merchant has to follow, the Payment Card Industry Security Standards Council enabled separate standards for software development. The most recent is the PCI Secure Software Standard, which also became a part of the PCI software security framework. The aforementioned standard is applicable to any software that processes card information for payment, and hence, becomes relevant for secure POS development.
To cut the long story short, the core requirements dictate how the software development vendor should handle the following aspects:
- critical asset identification;
- secure default configuration;
- sensitive data protection;
- authentication and access control;
- attack detection;
- vendor security guidance.
GDPR as a Regulation for POS Data Protection
GDPR, or General Data Protection Regulations, was introduced in the EU in 2018. It’s another regulation to protect personal information, but it is more far-reaching than the standards set by PCI DSS.
GDPR definition of personal data includes name, date of birth, phone number, address, ID and insurance numbers, bank details, recording of the person, etc. Moreover, it additionally highlights “special category data” that includes race, religious and political beliefs, sexual orientation, biometric, genetic and health data, etc. The organization should legitimately prove the need to access this data.
This regulation is applicable to any organization that has an office in the EU or processes the data of EU citizens. Hence, even if you plan to release your POS system on a non-European market, there is always a chance that the users of your software will encounter customers with EU citizenship. To prevent possible harmful outcomes from improper data storage, we suggest following GDPR compliance as well.
The security framework is firmly integrated into GBKSOFT’s development process customs. Our team of business analysts always includes security and data protection measures in the scope of any project. Check this article to learn more about our secure software development practices.
Looking for an experienced POS vendor?
We specialize in POS development and can contribute our domain expertise to your project.
Non-Functional Requirements on POS Security and Compliance GBKSOFT uses
As you can see, taking adequate measures is an integral part of ensuring POS security. However, during project inception, you and your vendor might choose to focus on the functionality of your software, its architecture, and solution design.
To ensure that your chosen vendor won’t neglect or miss security and compliance, we suggest that you pay close attention to non-functional requirements (NFRs) in the project documentation. This type of requirement reflects the system’s attributes like usability, security, compliance, performance, maintainability, legibility, capacity, availability. They don’t reflect functional requirements like Stories, Epics, etc. However, NFRs still play a significant role in the development as they determine the operations of the whole system.
So, when you receive a proposal, research in addition to the discovery stage or any other documents, check NFRs, especially the ones marked under “security” and “compliance”.
Here are a few examples of what we include into NFRs crucial for POS security solution development:
- system designed to comply with all regulatory and legal requirements, including PCI DSS, GDPR, etc.;
- WAF and DDOS protection by using AWS WAF Firewall V2 Tier and DDoS Protection Basic;
- CSRF protection by single-use token provided on-site login and required for all subsequent API calls;
- static code analysis through IDEs and build reports using SonarQube;
- inactivity timeouts with inactive session no longer than 168 hours, upon completion autologin performed;
- web vulnerability scans as part of the development cycle;
- strict application password policy;
- two-factor authentication.
In any case, we pick the NFRs specifically for every project, as a disbalance in non-functional requirements can cause problems. Over-specified NFRs may be unreachable or increase the cost of the development significantly. In turn, under-specified ones may lead to non-working, vulnerable software.
Hence, our business analysts analyze every project separately and form specific NFRs that will contribute with solution use cases, goals, development plans and timelines, internal policies of the client, POS security, etc.
GBKSOFT as an Experienced POS Development Vendor
GBKSOFT is a reliable IT vendor with more than 10 years of experience. We specialize in custom software development for businesses that want to automate their processes and grow their revenues.
We have successfully completed several POS security solution development projects. Let us introduce one of them.
ZempCenter: Enhancing User Experience Through Mobile POS Development
The client has reached out to us with a SaaS POS solution that at the moment was available to be accessed only in the web version. With the growing spread of mobile devices, the company has come to understand that a mobile version of their POS is a must to stay competitive and provide their end-point users with the expected level of services.
Our team has created an IOS version of the software that was connected with the back-end of the original SaaS solution. Combined with efficient UI/UX design, the application became a functional and user-friendly logical extension of ZempCenter’s SaaS product.
Our POS development services
We are ready to contribute our generated expertise to your POS development project. We offer:
- custom POS development;
- mobile POS development;
- SaaS POS development;
- development of POS solutions for cloud and dark kitchens;
- upgrading and redevelopment of legacy POS solutions;
- POS integration with other business intelligence solutions (ERP, CRM software, etc.)
We also offer different cooperation models. Choose the one that is most suitable for you:
- software development from scratch;
- dedicated team;
- team extension.
Bottom Line on POS Security
Point-of-sale security is one of the major sticking points you should pay attention to while developing your solution. Keep that in mind because data breaches and other types of hacker attacks are real threats to product integrity and reputation. So, creating a POS security solution should become your priority.
We suggest taking POS security seriously. You can’t overdo safety measures, as a lot is at stake here, and cybercriminals are always looking for new “opportunities” to pounce on, and constantly honing their knowledge, skills and only getting “better” as time passes.