Krawetz outlined numerous relatively easily vulnerabilities in POS technologies.
In the last year, no company has responded to Krawetz' inquiry.
One of the most basic limitations of POS is need for standards at the payment level. The Payment Card Industry (PCI) data security standard required by all major credit card companies requires businesses to take several measures for protecting cardholder data. However, PCI standards are not available for POS devices or software.
POS terminals that read credit card information, perform card transactions, and receive the confirmation code are easy targets for hackers. According to Krawetz POS terminals often store a relatively high volume of easily accessible credit card data. Most systems purge the data automatically when power is turned off or when transactions are tallied at the end of the day, but this does not occur in every instance.
Krawetz recommends asking the vendor whether payment card data is purged when power is removed from the POS system, finding out how much data can be retained in the device's permanent storage, and how to manually purge the data. Also, companies need to find out whether the data on POS devices is encrypted, whether the permanent storage can be removed, and whether the POS system forces users to change default settings. In addition, companies should find out if the POS device allows back-door access to the data and whether it has any logging functions for tracking activity.
These are serious concerns and I applaud Krawetz for describing them. I would hope the financial industry would take note.