Point-Of-Sale (POS) security
Because of the valuable financial data they hold, point of sale (POS) systems are prized targets for criminals—you need to prioritise their protection in your business.
Tip: Physical security is important for your POS systems. Make sure your POS systems are protected and monitored for unauthorised access.
How to keep your POS system safe
Online criminals can hack into POS systems to steal payment card numbers and the associated personal identification number (PIN), which they then use to access your customers' accounts.
- Protect your POS computer systems using the same measures you use for other computer systems in your business. That includes keeping them patched with the latest updates, running security software (such as anti-virus), limiting administrator access and using strong passwords. Learn more about protecting your business computers.
- Consider the physical security of your POS systems and terminals and ensure they are protected and monitored for unauthorised access. If using cameras for surveillance of POS terminals ensure they are positioned so as to not inadvertently capture the entry of PINs. Retain recordings for a minimum of three months.
- Train your staff to be aware of POS threats and to report any unexpected or suspicious behaviour. Learn more about security awareness training for your staff.
- Set up strong encryption for the transmission of all data, for example cardholder data between your POS system and the POS service provider. Your service provider should implement this by default. Ask your POS service provider or an online security consultant (with POS experience) for help if you are not sure what to do.
- If purchasing a new system, carefully vet vendors of POS systems to ensure they are trustworthy and legitimate.
- Do not allow service people access to your POS systems without verifying their identity. If unsure, contact the service company to confirm their details.
- Do not use the default user name and password for your POS system, that was shipped with it. Create a new user name and a strong password that is unique to your business. Learn about creating strong passwords.
- Limit access to client data to those employees with direct need to access it and are authorised to do so. Ensure all client data stored is encrypted, so even if it is compromised, criminals will not be able to use it.
- Make sure your POS system is behind a firewall.
What to do if things go wrong
If you believe your POS system has been compromised or affected by malicious software, seek technical advice and:
- Preserve evidence—ideally disconnect the affected system from your network but don’t switch it off. Identify and disconnect any suspect components, for example computers, terminal, then note any actions you take to limit the potential damage and preserve your system logs.
- Contact your bank or financial institution.
- Report the incident to authorities—report the incident to your local police and to the Australian Cyber Security Centre's ReportCyber.
Learn how to protect your business in five minutes with our Small Business Guide.