While the holiday shopping season may be over, there's a strong chance that another wave of point-of-sale (POS) system attacks against retailers, hospitality organizations, and other companies are just around the corner.

Experian's recently released 2017 Data Breach Industry Forecast predicts a continued trend toward attacks against organizations that process cardholder data. Experian analysts predict criminals could focus on smaller organizations and franchises, which may not have the same degree of technical infrastructure as the big-name retailers who've been breached in recent years.

In addition, the same Experian report predicts increased sophistication in POS malware, with many successful breaches originating from cybercrime organizations. As IT pros at payment card industry (PCI)-impacted organizations look to the year ahead, preventing a high-profile, long-term breach of cardholder data should be a top priority. In this blog, you'll learn how to detect and prevent a POS breach in a security landscape where criminal attacks are becoming more sophisticated.

Fact: Organizations are Slow to Detect POS Breach

For organizations who suffer a POS breach, the length of time to detection can range from days to, more commonly, months. The 2016 Verizon Data Breach Investigations Report (DBIR) indicates that for all types of security incidents, 75% of affected organizations take a week or longer to discover the incident.

Numerous 2016 news stories confirmed that many organizations don't have the mechanisms in place to discover risks or data theft. In one such instance, Eddie Bauer CEO Mike Egeck blogged that cardholder data had been stolen from their retail locations over the first seven months of 2016.

The malware remained undetected, and Egeck stated that Eddie Bauer was not the only organization affected. The "sophisticated attack directed at multiple restaurants, hotels, and retailers," lasted for a long period of time. Join us as we review some of the state-of-the-art methods for detecting and preventing a breach.

Rapid Detection of POS Breaches

Expert investigations of high-profile POS malware strains reveal sophisticated design, including the "Kaptoxa" code used against Target. In the case of this strain of operation, a 2014 forensic analysis by Security Intelligence's Mark Yason hypothesizes that Kaptoxa could have been detected via transfer of encoded track data via server message block protocol (SMB) or by detecting SMB attempts to write data to the destination.

However, there's a definite challenge for security pros when it comes to applying forensic knowledge to future breaches. Analysis of code is rarely a possibility during a data breach, and it's also not the most effective way to approach anything when the domain of POS malware is broad and changing quickly.

POS Monitoring IS Change Detection

The right detection strategy isn't to examine the code. It's to examine changes to your environment that reveal malicious behavior on your POS systems, including the network and host. Expanding your approach to observing negative or unusual changes in your network, including updates to critical system files or sudden spikes in data transfer, can allow you to detect even zero-day malware or highly sophisticated risks.

Changes to your point-of-sale systems are inevitable. To comply with PCI requirements, your IT team will need to perform regular patching updates and other forms of network maintenance. However, changes that occur outside of these planned modifications can be the first sign of criminal activity. Chances are if your organization faces a POS risk in 2017, the malware dropped into your system may not resemble known attacks.

Understanding when your POS network and systems are being modified off schedule is often the smartest way to act quickly. To be prepared for 2017's POS malware, it's wise to focus on change detection mechanisms for point-of-sale systems instead of look-back technology that's based on historical malware patterns.

Proactive Prevention of POS Breaches

Full compliance with all 12 PCI requirements is among the most effective ways to prevent a POS attack and data breach. By meeting and exceeding PCI requirements for POS system security, you can reduce your attack surface by eliminating unpatched vulnerabilities, implementing appropriate barrier protection, and other important activities.

Some of the best ways to proactively prevent a POS data breach include:

  1. Actively monitor your POS network for changes.
  2. Using compliant, best-of-class, end-to-end encryption around cardholder data.
  3. Limiting the hosts that can communicate with POS systems.
  4. Adopting chip-card-enabled POS terminals.
  5. Utilizing employee screening and training to minimize insider threats.
  6. Training employees to immediately detect and report possible signs of tampering.

POS Attacks are Usually Caused by Network Vulnerabilities

In recent instances, POS attacks are rarely the result of less-sophisticated attack methods such as tampering or card skimming. More often, hackers can gain entry to your network via a phishing attack, unpatched vulnerabilities in your POS software, or similar risks.

When armed with full PCI compliance, security pros need tools to detect human and technology-caused risks in real-time. The smartest method of prevention is to utilize tools for real-time detection and PCI compliance monitoring.


With an agent-based file integrity monitoring solution designed for the unique needs of organizations that use POS, you can detect negative or unplanned changes from the moment they affect any aspect of your network, including employees who fall prey to a phishing scam or network changes that move you out of PCI compliance.

CimTrak Enables Real-Time POS Malware Remediation

CimTrak is the only agent-based solution to enable full change remediation from the admin portal, allowing you to remove malware before you experience cardholder data loss. With features designed to meet the unique security needs of organizations with POS systems, security administrators can unlock access to change detection monitoring at the POS level, PCI compliance insights, and the ability to act as soon as a negative change is detected.

To learn more about how CimTrak can protect you from the complex POS malware of tomorrow, download our PCI solution brief today.

New Call-to-action

Jacqueline von Ogden
Post by Jacqueline von Ogden
February 21, 2017
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".