01
Why POS Systems Are a Primary Target
Point of Sale systems process payment card data and cash transactions โ making them a high-value target for cybercriminals. POS malware has stolen payment data from hundreds of thousands of businesses globally, often operating undetected for months.
The vulnerability isn't primarily in the POS software itself. It's in how POS systems are networked, maintained, and secured โ or more commonly, not secured โ alongside the rest of the business IT environment.
The most common POS breach vector: POS terminal on the same network as office computers and internet access, with no segmentation. A phishing email opened on an office workstation gives attackers access to the payment network.
02
POS Network Architecture
Network segmentation โ the most critical control
โPOS terminals must be on a completely separate network segment from office computers and guest Wi-Fi
โDedicated VLAN for POS โ firewall rules prevent any communication between POS VLAN and office VLAN
โPOS systems should only communicate with: the payment processor, software update servers, and management systems โ nothing else
โNo internet browsing from POS terminals โ deny all outbound except required destinations
โGuest Wi-Fi completely isolated โ no access to POS or office network
If a customer can see your guest Wi-Fi network and your POS system is on the same physical switch, you have a network segmentation problem. Guest traffic must be completely isolated โ physically or via VLAN with enforced firewall rules.
Operating system
โPOS terminals running Windows must be on a supported OS โ Windows 10 (now EOL) or Windows 11
โEnd-of-life OS on POS terminals cannot receive security patches โ must be replaced or isolated to a fully air-gapped network
โDisable all unnecessary services โ Windows Remote Desktop, SMB file sharing, Bluetooth where not required
โAuto-run disabled โ no USB autoplay
Endpoint protection
โAntivirus or EDR deployed on all POS terminals โ Microsoft Defender for Business or equivalent
โDefender Application Control โ allowlist only approved applications. POS terminal should only run POS software, nothing else
โBlock USB storage devices โ prevent malware introduction via USB, and prevent card data exfiltration
โScreen lock with strong PIN โ POS terminals lock after inactivity
Patch management
โPOS software updates applied promptly โ critical updates within 7 days
โOS patches applied on monthly cadence โ test in staging first
โPatching window during non-trading hours โ minimise trading disruption
Staff access to POS
โUnique login credentials per staff member โ no shared POS login
โRole-based access โ sales staff cannot access management functions, refunds, or reporting
โManager override requires manager credentials โ not a shared override code
โAutomatic session timeout โ return to login screen after inactivity
Remote access
โPOS vendor remote access โ restrict to on-demand only, disabled when not in active support session
โLog all remote access sessions โ who connected, from where, what duration
โNever allow persistent remote access from POS vendor โ disable after each session
โDe4sec remote management โ via dedicated management VLAN, separate from POS VLAN, MFA required
Physical security
โPOS terminal mounting โ secured to counter, tamper-evident seal
โPayment terminal (EFTPOS) โ checked daily for skimming device attachment
โBack-of-house systems โ physically secured, not accessible to customers or non-IT staff
05
PCI DSS Compliance Overview
If your POS system processes payment cards (EFTPOS, credit card), Payment Card Industry Data Security Standard (PCI DSS) applies to your business. PCI DSS v4.0 is the current version.
| PCI DSS Requirement | Practical meaning |
|---|
| 1: Install and maintain network security controls | Firewall between POS and other networks โ segmentation |
| 2: Apply secure configurations | No default passwords on POS systems, only required services enabled |
| 3: Protect stored account data | Do not store full card numbers โ POS system should only store tokens |
| 5: Protect all systems against malware | AV/EDR on all in-scope systems |
| 6: Develop and maintain secure systems | Patch POS software and OS promptly |
| 7: Restrict access to cardholder data | Least privilege โ only staff who need access have access |
| 8: Identify users and authenticate access | Unique user IDs, strong passwords or PINs, MFA for remote access |
| 10: Log and monitor all access | Audit logs for all access to cardholder data environment |
| 12: Support information security with policies | Documented security policy, incident response plan |
De4sec assists businesses in Kenya and Australia with PCI DSS scoping, gap assessment, and control implementation.
06
De4sec POS Security Service
POS Deployment
Hardware supply and installation, network design and VLAN configuration, POS software setup and testing. Kenya and Australia.
Security Hardening
OS hardening, endpoint protection deployment, application control configuration, access control setup.
Network Architecture
Firewall configuration, POS VLAN design, traffic policy implementation, guest Wi-Fi isolation.
Ongoing Support
Remote monitoring, patch management, security incident response, PCI DSS compliance support.
