At the beginning of August 2016, a network of over 330,000 POS systems run by MICROS, part of Oracle Corp., was hacked by a cybercrime group, leaving all merchants using the system vulnerable. The hackers also completely compromised Oracle’s main online support portal for MICROS customers.
Oracle did not disclose how many MICROS users were affected by the breach, or whether the hackers had actually decrypted the card data and stolen money from the consumers. They did, however, acknowledge that they had “detected and addressed malicious code in certain legacy MICROS systems.”
Malware all around
A few days later, it was revealed that at least five more POS system providers were breached by hackers, compromising as many as 1 million cash machines and point of sale systems worldwide.
Card-stealing malware was also found in the POS systems at twenty HEI Hotels & Resorts properties. The group operates major hotel brands including Marriott, Hyatt, Sheraton and Intercontinental.
The payments systems at Noble House Hotels & Resorts have been infected twice in less than a year.
The credit card info of tens of thousands of guests at the Hutton Hotel in Nashville may have been left vulnerable, as the hotel discovered its systems had been compromised for almost four years, between September 2012 and June 2016.
In the case of fashion retailer Eddie Bauer, customer card information was stolen when malware was found in the POS systems in every single one of its 350 stores across USA and Canada. The malware had been present in the machines for at least 6 months before its discovery.
Is your POS at risk?
According to Verizon’s annual Data Breach Investigations Report, last year almost two-thirds of data breaches at retailers were caused by point of sale intrusions.
According to the Identity Theft Resource Center (ITRC), data breaches are on the rise: there have already been 601 recorded incidents this year. It’s an alarming number, especially considering that in 2015 there were 781 incidents in total.
Given the rising concern, we want to reassure all our customers and system users: you can keep your customer payment data safe by using LS Retail software alongside a PCI-certified payment service provider.
How to be safe from malware and intrusions with LS Retail
Petur Sigurdsson, Head of LS Retail Global Payments:
The LS Retail POS, when combined with PCI-certified service providers, is out of scope for PCI-related vulnerabilities.
In compliance with official PCI security standards, the LS Retail POS does not store, track or register any customer card information – this includes customer name, card number, CVV (card verification value) code and expiry date. The LS systems only logs a masked card number per transaction, for limited tracking information. This data, even if it were stolen, would not be usable to commit fraud.
Cards swiped in an LS Retail POS are captured by the EFT terminal and processed within the EFT systems directly, making the relevant EFT provider responsible for all security – not the merchant, and not the LS Retail system.
A word of warning, though: although the LS Retail POS is out of scope for these threats, your whole system is only as safe as all of its parts are. Most breaches occur because of older legacy systems, so make sure that you install security updates in a timely manner as a part of regular maintenance, and that your intranet/windows system is secure and up to date.