The Costs of a Cost, and the Opportunities Lost – Why US Retailers Need to Give Their PoS a Shake

Credit cards are very convenient; swipe, sign, pay later. That is going to change in the US (More Info) and it’s about time. The change does introduce a cost for retailers, but it is also an opportunity.

The Point-of-Sale (PoS) devices at many retailers are a tool that is part of what is generally a low-margin business. The only time PoS devices are refreshed en-masse is when there is an external pressure that initiates the change. The change to credit cards with a chip (whether chip-and-sign or chip-and-PIN) is now creating an external pressure (Read More).

It begs a question from both security and operations perspectives; can retailers do better than meeting only the new immediate demand?

Simplicity rules

When boiled-down, PoS systems have hardware peripherals (magnetic stripe readers, chip readers, signature screens, printers, and so on) attached to a computer. The computer runs software, often within a Windows embedded operating system, that facilitates transactions. They are, in essence, fancy digital cash registers.

Just as a retailer one-hundred years ago would not spend money on a mechanical cash register that can also mow lawns, modern retailers acquire the least expensive computer hardware that can support the PoS applications and peripherals. It makes sense – why not pay the least to do the job, especially when that job very rarely changes?

Drivers of change?

In a digital world, the peripherals that are needed to facilitate transactions need drivers. Those drivers are leveraged by PoS software to engage back-office systems. Those back-office systems communicate with many other systems to authorize payment, interact with supply-chain, distribution, and order management software, and so on.

The bottom line is that there are lots of moving parts, and the endpoint PoS device is the customer-facing endpoint.

PoS_VDI_Compliance

Provoked by the change, there is both cost and opportunity, and retailers would do well to consider the full spectrum of opportunities, and the cost of focusing on only the immediate needs (get a PoS that accepts chips).

Virtualization and PoS

Virtualization at a PoS endpoint offers myriad advantages from both an operations and security perspective. There are straightforward advantages, such as running an image on the PoS systems that can be easily patched, instantiated anew, and captured for forensic information (whether for security-related forensics or operational).

Retailers could also consider centralizing PoS images via Virtual Desktop Infrastructure. Within each store, run a server that hosts the images and lightweight PoS devices that act purely as interfaces.

Virtualization also provides opportunities for additional security. True, adding a hypervisor adds another layer of abstraction, and therefore more software. However, attackers are focused on the low-hanging fruit; the Windows embedded operating system and PoS software running within it.

Adding a hypervisor below the operating system creates an opportunity to perform inspection of all activity that the PoS software and host operating system are performing. That’s an ideal viewpoint from which detection of rootkits, injection attacks, and other bad behavior can be identified.

Of course, I have my security hat on in all of this. I do believe that operations and security are converging, even if in fits and starts. The security side has certainly gained some retail attention of late, but I like to try to find ways to make things better across the board. In this, there is an opportunity to streamline PoS costs today and tomorrow and include security in the discussion.

Learn more about our answers to the PCI DSS v3.0 compliance requirements in this Solution Brief: