Hope is a Four-Letter Word - Keep your POS and Business Safe from Cyberattacks
By Anthony Analetto
There are two layers of foolishness that drive me nuts. First, is when people accept a preventable adversity as inevitable. Second, is when people institutionalize the tolerance and make jokes about it. Defeatism isn’t a successful formula for either life or business. And hoping you aren’t the victim of cybercriminals is not a strategy. Rather, it’s wishful thinking.
Being Lulled into Inaction Is a Recipe for Disaster
This morning I listened in amazement to a colleague joking about his cell-phone carrier being hacked. Their personal information was stolen “yet again” by a data breach. No outrage. They seemed resigned to it being a part of life. Even joked that they needn’t bother signing up for the offered “theft protection service” because they already had two active services from previous breaches.
Don’t Give Customers a Reason to Attack You
It only takes a single outraged customer in our social-media fueled cancel culture to disrupt your business. The urgency of taking control of POS and computer system security at your wash is about far more than protecting customer data. Further to this, customers do not have a lackadaisical attitude when it comes to holding a business owner accountable for securing customers’ confidential information. We all remember the data breach at Target back in 2013, right? That cost Target close to $20 million in known settlements (who knows how much in other settlements plus legal fees) and effected 41 million customers.
Using Outdated Hardware Is Outdated
I think it’s safe to say we all know to change the default password on an Internet-connected device. But what about the device itself? Microsoft ended support for Windows 7 on January 14, 2020. Does any device on your property still use an insecure and unsupported operating system? Are you sure?
I don’t know of any research studies done on our industry, but I found a report where research firm Palo Alto Networks estimates 83 percent of medical imaging devices run on old operating systems. So old, in fact, they no longer receive any software updates at all. Safe to say there may be a component lurking at your wash that is at “end of life” and not receiving software updates. Your pay station. Your POS system. Or your tunnel controller. Outdated technology is an accident waiting to happen. It’s your obligation to work with your supplier, identify potential issues, and update where appropriate. You wouldn’t continue to use an old insecure smartphone to access your bank accounts … because (1) you wouldn’t be able to and (2) the risk of losing your life savings is too great. So why would you risk your business?
Don’t Procrastinate the Easy Upgrades
If your controls or equipment provider is hinting at end-of-life, don’t wait. It means, sooner rather than later, you will be hit with the choice of investing in hardware or jeopardizing your wash operation. If your hardware is no longer able to receive automatic software updates, then every day you are getting further and further behind with today’s technology and what it can do for you. If your service provider is requiring hardware purchases to enable software features, it’s an unnecessary expense and your provider is working from old technology.
Credit technology is also changing. A controls provider needs to keep up with this. Outdated, magnetic strip credit card technology is still widely used in many places. Wash operators who want to accept credit and debit cards should adopt EMV chip-and-pin technology if they haven’t already. The encrypted code technology of EMV cards, combined with PIN protection, makes transactions 700 times more secure. If you haven’t already, get an EMV terminal that allows for phone tap/NFC payments as well as Apple/Google Pay.
Understand Your Network
Every device that’s connected to the Internet provides criminals with a point of entry to wash networks. While that can’t be changed, your POS system must be completely firewalled from the Internet to keep external threats from getting in. You may hire a specialist to do the work, but you must also educate yourself.
Physically Secure Your POS
This seems like a no brainer but one I should remind you of. Lock the door to your POS system and pay stations each night or introduce some other physical barrier to the card reader to prevent the introduction of skimmers during off hours. If you don’t know what a “credit card skimmer” is – google it.
Keep Customer Credit Card Info off Local Networks
Use tokens to store any financial transactions. I’m not referring to the tokens your children use at Chuck E. Cheese or the local arcade. Credit card “tokens” are an encryption technique that makes the original data unreadable in the event of a data breach or hack. Tokens also act as a form of authorization to proceed with a transaction. Never store customer card information on your local computer network. Tokens, albeit more secure, do require an uninterrupted Internet connection. If you go this route look to invest in a fail-safe Internet hotspot that automatically rolls over to cellular if your landline is down.
Restrict Permissions, Educate Yourself, Train Your Staff
Ensure permissions are in place to restrict access to the Internet from the POS system. Only grant employees the access to features or systems they need. Train your employees to never access personal accounts from your wash network. Take a proactive role in understanding POS technology to make sure patches and other updates are current.
Resort to Commons Sense
For one, install a decent security camera/DVR system. It’s an inexpensive way to keep a watch over your wash. And make sure the cameras are pointed in the right direction with an unobstructed view.
Next, run all reports nightly. How else are you going to know about discrepancies in gift cards, free washes, discounts, refunds, or anything else unusual? Hint: tracking each cashier separately with their unique usernames/passwords will make it easier to track by employee.
Don’t Assume it Won’t Happen to You.
It’s easy to read about global cyberattacks, congressional hearings, countries sanctioning one another, or large multinational corporations being attacked with ransomware and think “who’d bother to hack my car wash.” There’s the mistake. Cybercrime is a lucrative and booming business. Your car wash is potentially a sweet juicy target. In fact, one of your customers may be the mouth-watering hacker. With thousands of club-plan members, multiple locations, and millions of dollars in revenue, you are a target. I assure you that hoping your wash doesn’t get hacked is not a strategy. Take action and protect your business.
Good luck and good washing.
Joining the company in 2000, Anthony Analetto serves as the president of Sonny’s CarWash Equipment Division. In this role, Anthony leads the innovation of new products to drive client success and oversees all operations, engineering, and supply chain management. Washing cars for more than 30 years, Anthony was the director of operations for a 74-location national car wash chain prior to joining the company.