***

In the past few years, point-of-sale (POS) technology has exploded. Storage capability has increased, terminal-to-terminal communication has been established, hand-held devices now talk to work stations, statistical reports are generated on the fly, and returned and disputed items are handled so much better.

But all that technology, all that convenience also means a greater vulnerability--more points of attack, more threat scenarios, and more opportunity for hackers. At the same time, is it realistic to expect a retailer not to store card information? It has been proven time and again that people don't erase data, even if they say they do. They always keep a hidden copy, which is worse.

So what's the solution? What can we do to slow down the wave of POS attacks?

Try this:

The HR solution: The bleak statistic is that the majority of computer violations are carried out by trusted insiders. Often, the personnel hired for POS work are poorly paid, seasonal, and poorly committed. They are easily tempted by a hacker to compromise data, pull out exchangeable storage devices, or leave a door open for a late night "janitor" to do the work. When caught, violators should be prosecuted for deterrence.

But POS personnel can be trained for security awareness, and warned against attempts to make them collaborators to crime. Security awareness can be taught with stories and examples. For example, one astute hacker would frequent plush restaurants and scan the diners. He himself ordered quickly, got his check, and remained sitting. When a fellow diner that looked wealthy by his dress and demeanor got up and paid his check, the hacker rushed right behind him, and paid his. An hour later he would call the store pretending to be a Visa security officer checking on a recent use of a card. He would mention his own name, his card number, and the time he checked out, to gain the confidence of the POS operator. "Yes!" the operator would respond: "I found it, that card was used here, and the amount is right!" "Okay," the hacker would answer, "now who charged exactly before that guy?" And the operator would spell out the name and the card number of that wealthy person in the restaurant.

CryptoStorage. Imagine this: As data rush to their storage place, they visit a rapid ciphersystem that encrypts them beyond recognition. It's useless for a hacker to steal the media, read the data off it, or copy it if he does not have the key to decrypt the data back to their original form.

It's simple and technologically feasible. We have ciphersystems that are fast enough so that the rerouting to the encryption step is barely a slowdown, either when data are encrypted before storage or when decrypted before being invoked again. In most cases, the ciphersystem does not have to pass NSA highest grade. But it must be fast and transparent. There are issues of how to handle the encryption keys, but these issues are generally well resolved through established security procedures.

When the raw sales data are passed around the store for analysis and marketing studies, the data that are not germane for the study can be masked through field encryption. Field encryption is a technique whereby only certain fields in the record are encrypted. For example, the name of the account owner, or the actual account number.

Entrapment: From a philosophical point of view, entrapment is the most effective anti-hacking strategy. As it applies to POS, entrapment may involve placing bogus account data mixed with the regular data. So one John Trustworthy, with account xxxx, would be for example a fictitious account holder. If after some time, John Trustworthy tries to buy something, then it is clear which POS system was violated. In many cases, if the authorities can lay a hand on the user of the card, they would have a hold on both ends. They would know where the data was stolen and have a window of opportunity for that theft, and they would have the end user trying to use that account. Working form both ends, the authorities might unravel the crime chain that exploits the POS vulnerability. The fear of such entrapment data may be more effective than actual cases.

These tools and methods are intrinsically potent, but their application is an issue because retailers contend with increasingly commoditized markets, and the smallest price gradient would shed customers away. So retailers are quite reluctant to increase their costs by installing expensive security. However powerful technology may be, it nearly always loses when it battles economics.