Cybercriminals targeting point-of-sale devices

Even with PCI regulations, smaller retailers face challenges in security credit card transactions

Point-of-sale payment processing devices for credit and debit cards are proving to be rich targets for cybercriminals due to lax security controls, particularly among small businesses, according to a report from Trustwave.

Trustwave, which investigates payment card breaches for companies such as American Express, Visa and MasterCard, conducted 220 investigations worldwide involving data breaches in 2010. The vast majority of those cases came down to weaknesses in POS devices.

"Representing many targets and due to well-known vulnerabilities, POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud," according to Trustwave's Global Security Report 2011.

POS devices read the magnetic stripe on the back of a card that contains account information, which is then transmitted for payment processing.

Although there are rules for security controls that developers should use for the devices, such as the Payment Application Data Security standard (PA-DSS), Trustwave said that "these controls are rarely implemented properly."

Further, many small businesses rely on third-party integrators to support the POS devices. But those integrators often have poor security practices. In 87 percent of the breach cases it studied, the integrators make mistakes such as using default credentials in operating systems or with remote access systems, Trustwave said.

"In our experience, many POS integrators are often not skilled in security best practices, leaving their clients open for attack," the report said. "For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions."

POS devices are an attractive target for cybercriminals since the data they access from the cards is more complete, Trustwave said. For example, an attack against an e-commerce website may yield a credit card number and the card's expiration date -- information that can only be used in so-called card-not-present fraud, such as buying goods on a website that never sees the physical card or its magnetic strip.

But POS devices collect the full magnetic strip, which makes it possible, for example, to encode that information on a dummy card for use at an ATM machine or a retailer.

Retailers have been increasing their compliance with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry. It forbids, for example, the storing of magnetic strip data on POS terminal and mandates the use of encryption.

But in 2010 Trustwave discovered new malware targeted at POS applications, one of which was capable of extracting that encrypted data.

"The POS-specific malware is the most sophisticated malware we have seen, and similar to the ATM malware we saw in 2009, as it requires deep knowledge about the workings of the POS application," Trustwave wrote.

Even though PCI-DSS is well established in North America and Europe, "these mandates are just beginning to take hold in other regions," Trustwave wrote. "For example, Latin America and Asia Pacific still lag behind other areas of the world in the identification and acknowledgement of a data breach, which adversely affects the global effort to combat attacker behavior."

Send news tips and comments to

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags trustwavesecuritydata breachdata protectionfraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Gadgets & Things

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >


Learn more >

Family Friendly

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on Good Gear Guide

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?