News Stay informed about the latest enterprise technology news and product updates.

PCI compliance extends to car washes, quick lubes

A point-of-sale system supplier for car washes and quick lubes protects its machines from viruses and other malware and enables PCI compliance.

When Innovative Control Systems, Inc., began integrating credit card clearing into its point-of-sale systems for car washes by connecting to a credit card clearinghouse over the Internet, executives at the company knew they had to do something to protect the machines.

They weren't being proactive in protecting themselves so we had to look for a solution.
Joe Jennings,
network administratorInnovative Control Systems

At first, they advised their customers to install antivirus software. But over time, it became clear the customers weren't heeding their advice: Support calls soared as machines became infected with viruses and other malware. The outbreaks would prevent the vendor's POS applications, which are integrated with the car wash tunnel operations, from running and disrupt business. Support technicians spent hours cleaning up customers' systems.

"It really led us to look at the fact that they weren't being proactive in protecting themselves so we had to look for a solution," said Joe Jennings, network administrator at Nazareth, Pa.-based Innovative Control Systems.

The company began looking for software that would work with its application and provide affordable protection for its customers. Jennings and his team put seven antivirus products to the test on a POS system. They threw viruses and spyware at each, and looked at how fast they allowed the Innovation Control Systems application to run.

"We went through the entire gambit with each one," Jennings said.

In the POS world, anything that slows down the ability to produce a receipt is unacceptable, he explained. "You don't want customers standing there waiting for anything." In that respect, Eset NOD32 Antivirus, stood out from the others. With NOD32, a receipt popped out in less than half a second. Symantec antivirus caused the longest lag at 20 seconds, Jennings said.

POS hacks:
How to keep packet sniffers from collecting sensitive data: In this Q&A, network security expert Mike Chapple reveals two important actions that can protect users from packet sniffers and other eavesdropping attacks.

Trio indicted in restaurant data security breach: The three men allegedly deployed packet sniffers designed to capture Track 2 magnetic strip credit card data from 11 Dave & Buster's restaurants.

Credit card thieves target small merchants, flawed POS systems, study finds: PCI assessment firm, Trustwave says the report debunks some popular perceptions but others cite flaws in the study.

Jennings and his team also liked NOD32's proactive capabilities in blocking malware, its integrated anti-spyware protection, Eset's automatic updates, and low price. The initial plan was to resell the antivirus protection to customers, but with the PCI Data Security Standard becoming a concern, the company's president decided that it needed to be included with every POS system, Jennings said.

By including the antivirus protection with its systems, Innovative Controls Systems is helping its customers at nearly 3,000 car wash and quick lube locations comply with the PCI standard, Jennings said. NOD32, which is installed on the POS server in active scanning mode for real-time protection, prevents viruses, Trojans or other malware from reading or extracting any of the data flowing from the POS device and server to the credit card clearinghouse, he said. No credit card data is stored on the POS device or server, he added.

The need to secure POS systems was highlighted in the recent indictment of three men on charges of hacking into computer systems at 11 Dave & Buster's restaurants and stealing credit and debit card numbers. The trio allegedly gained unauthorized access to the POS servers at each restaurant and installed packet sniffers designed to capture credit card data.

Security experts have said a common security problem at retail locations are POS systems that are managed by third parties via unsecured remote access systems that often use blank or default passwords.

In addition to providing antivirus protection with its POS solutions, Innovative Control Systems ships to each customer a router that's configured securely, without any standard open ports. And even before PCI compliance became an issue, the company realized it needed to replace its remote support solution for managing client machines with a more secure system, Jennings said. It chose the Bomgar Box, which he described as a secure, encrypted point-to-point system; no standard passwords are used and Jennings requires frequent password changes for employees.

In addition, Innovative Control Systems is working to get its software validated under the new Payment Application Data Security Standard. PA-DSS is based largely on Visa's Payment Application Best Practices (PABP) program.

Since the vendor starting shipping every system with NOD32, calls to its support team about viruses and other problems dropped tremendously, Jennings said. The company also replaced its Symantec and Webroot Software antivirus products with Eset antivirus on its corporate network.

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.