A recent vending machine company had some of its POS systems compromised at waterparks in Wisconsin and Tennessee. This was a major breach…up to 40,000! Go figure. People can’t even buy some snacks or what not from a vending machine without having their credit card information compromised. Has it really come down to this?
Unfortunately, this is very timely. With the recent anniversary of 9/11 and the horrific attacks that came that day from the sky, it is clear, or at least should be, that the bad guy is out there and will always try to find weaknesses in areas that are sometimes unusual or even very obscure. Computer hacking is no different. Someone decided to find a way to hack into a vending machine/POS system. It appears that credit card data was not encrypted from point-to-point, which would allow someone to ‘sniff” the network for unencrypted credit card data and then use this information for nefarious reasons. I wonder who signed off on the PCI SAQ or ROC for this company. It is not a good situation any way you look at it. Moral of the story, and only one piece of the pie, companies need to encrypt credit card data from point to point. This means from the physical POS system interface to the server storing credit card data or to the payment processor. This will eliminate someone being able to sniff card holder data over the wire.
Tim Trow is a Senior Consultant at Zensar