Part of POS security is about infrastructure: the firewalls and encryption levels and so on that protect information and guard against attack. How that's to be done is strictly defined by the PCI DSS standard. You know, simple rules, like:

double-length TDES (112-bit) keys should not be used for more than one million enciphered blocks

A first-caliber POS vendor knows these rules, and implements your system and communications in strict compliance with all of them. But making sure your technology adheres to PCI DSS standards isn't the whole security job. Just as with physical security, it doesn't matter how tough a lock you install, if the guard leaves the key in it overnight, you've got trouble.

With that in mind, we thought we'd share a few best practices for managing your own POS transaction processing environment.

1. U$e $tr0^g P@$$w0rd$

That wasn't hard to figure out, was it? Hackers don't think so either: and they have simple-to-build tools that make cracking this easy. Their scripts use every word in the dictionaries of many languages—somewhere in which are your name, your dog's name, the streets you've lived on, your occupation, and even your PIN. They include every case/symbol/letter variation. Spelled forwards and backwards and sideways.

Here's a strong password:

5L9e4$8@LLe

It's a home address: 5948 Le Salle. What could be easier to remember? Need a hint for it? L$s@a shows you the case and symbol shifts.

2. Stay Separate

Employees should have access to only the bare minimum amount of data they need to do their job. Assign employees their own unique authentication—that way you can track access. Take it a step farther. Assign managers different passwords for different jobs. Access to reservations or the floor map should use a different password than access to sensitive data or reports.

3. Stay Current

The rule of thumb for security vulnerabilities is: the quicker you patch the safer you stay. You should deploy critical patches to your operating system or applications as quickly as you can, but never more than 30 days after release. The same principle is true for your passwords. The higher the level of access, the more often the password should be changed—never more than once a quarter for highest-level access. (Ah, there's the rub: as soon as you develop muscle memory for typing in the high-strength password, you're going to change it.)

4. Add a Second Factor

You authenticate someone with one of three factors: something they know (like a password); something they have (like a magnetic card) or something they are (like a fingerprint). Include simple to set up and simple to use devices for two-factor authentication. You likely already employ one factor (generally know or have factor). Add a second factor to the mix. But do it only where you need to. Generally, you can restrict two-factor to management logins only, and let staff stay with one.

5. Stay Secret

The worst case situation: you're away, and the call comes where your shift supervisor needs access only you have. The worst case solution is to share your password (and then hope you remember to change it later).

A first quality support team can ensure your technology is always strictly compliant with the strictest of standards. By taking a few precautions in the way you verify users, and what you allow them to do, you develop an even stronger wall of protection and security for your customers and your business.

For more details on PCIDSS standards and best practices, visit www.pcisecuritystandards.org.