The threat of Attack on Point-Of-Sale (POS) systems

The threat of Attack on Point-Of-Sale (POS) systems

In the retail world, the threat of attack on Point-Of-Sale (POS) systems is always high, as they are a prime target for the bad actors trying to get credit card information. There is always new malware being created to try to get that information. There are, however, steps that can be taken to reduce the risk, even with regards to the latest attack software.

The best thing that you can do is to isolate your servers and workstations as much as possible. In an ideal world, these would be completely isolated, and not interact with any other systems. The reality is that this is very rarely the case. With that in mind, let’s look at some things that can be done.

The first step is to make sure that your firewall is as restrictive as possible. Your POS workstations and server if needed should only be restricted to accessing what is absolutely needed. In most cases, this is only your credit card processor. In no case, should your firewall allow either the workstations or the server, unrestricted access to the internet? The firewall will eliminate the chance for drive-by downloads, or users browsing to malicious sites.

Along those lines, any computers that are used for general internet browsing, and also email, should be on a separate network. If it is not possible to implement workstations on a separate physical network, at least use a different logical network as in a different network address range. Even just the different logical network, will stop the majority of malware infections.

If remote access is needed, and it should be restricted to those cases where it truly is needed such as your support company, then it should be restricted to only those addresses that have a legitimate reason to connect. Also, any such connections should be closely monitored. One such method is to disable the remote access software, and only enable it when your support personnel is actively connecting. Of course, it is again disabled as soon as they are finished.

Those cover the basics of securing your POS system. It is a good place to start, but it is only a start. Keeping software updated, training personnel, and keeping vigilant are always key components, also.

Dave

To Purge or not to Purge? – The data migration dilemma

To Purge or not to Purge? – The data migration dilemma

When anticipating an upcoming Data Migration, here are a few things that you should consider in making purge decisions.

  1. The Time Crunch.

Depending on the application, a typical Data Migration can take at least several days to complete, if not longer.

Depending on the amount of data that one currently has, the entire process can be artificially extended. and cause you to have extra support expense and unwanted downtime.

As the amount of data that you have increased, more disk space is used and so exponentially does the number of resources required to do various tasks. This situation puts more resource pressure on your server and increases the amount of time that it takes to complete tasks. As an example, running history reports could end up taking a considerable amount of time, which may end-up reducing overall staff productivity of people are constantly waiting for something to complete. Generally, this scenario is true whether you are doing a data migration or not.

  1. Do I really need to migrate all of the data?

Typically, most Retailers only keep about (2) two years of detailed history. I have found many instances over the years where companies have decades of detailed history on file. However, with some industries, it may be necessary to retain more history, as examples of this might be if there were extended product warranties or high-priced items with serial numbers (e.g. Water Heaters, Pool and Spa Equipment, Wood Stoves, Tools, Farm Equipment, Electronics, etc.).

  1. What kind of time constraints do I have regarding the purging operations?

Normally, it is best to schedule purging related work for times when there is no one using the application software. Generally, there are at least (3) three good reasons for this as follows:

  • Purging operations usually require a lot of CPU and memory usage. So if this should normally not be done during peak hours, as it can bog-down your server.
  • Some historical purging operations will hang and wait if it encounters records within the selected range that are in use. This artificially extends the amount of time required to complete the purging operation.
  • Smaller databases generally mean faster backup times.
  1. What is the general condition of the source data?

Most purging and data migration operations require that the data be in good shape, otherwise separate and extensive work may be required to accomplish complete removal of the data or the ability to migrate it.

Some examples of this kind of issue would be.

  • Historical sales data that references sales reps or users that are no longer on file.
  • POS ticket history that involves sales data for customer and items that are no longer on file, or that have corrupt ticket lines.
  • Set-up and supporting data for features that are no longer used, such as sales prices, discount codes, and other pricing schemas.
  • Old customers that haven’t purchased anything for many years. This could include customers with invalid or obsolete contact data.
  • Items that are obsolete/discontinued or haven’t been used for many years.

In many cases, some of this kind of data can be cleaned up ahead of your data migration date,

If you have questions about purging, file utility usage, and data migrations, please contact the CCS Retail Systems Support Department

John

Keeping Systems up-to-date

Keeping Systems up-to-date.

Everyone should know the importance of keeping your operating system, and software, up-to-date. Even with the amount of information on the subject, there are still many that allow this task to slide for excessively long periods of time. That is a very, very, bad thing to do, given the volume of malicious software that we are constantly bombarded with.

While I am not personally a fan of automatic updates, that is a far better choice than not installing updates at all. If you find that you are not taking the time to apply the patches and updates, then, by all means, configure automatic updates, and let the system do it for you.

While automatic updates involve an amount of risk, it is much less than the risk run by not having current fixes and patches applied. My preference is to periodically (and frequently) manually install the updates. Manually installing allows me to check for known issues regarding those updates, and make the decision to install a particular patch, or not. This approach does take some dedication on your part, though, and as such is not for everyone.

Whichever method you choose, be sure that your systems are updated with the current patches and fixes. Otherwise, you are running the very big risk of waking up to a nasty situation, in which your computers have been compromised, or are being held for ransom.

Dave.

Spring Cleaning Time!

Spring Cleaning Time!

Most of us think of spring as a good time for thoroughly cleaning and airing out our home. It’s also a good time for cleaning our computers and peripherals! To remove dust accumulation inside your computer that can clog heatsinks and fans, overheat components, and throttle performance. If this persists, performance is affected, and lifespan of the system can be reduced. Shorts may also result, causing damage to parts.

As to peripherals–keyboards, mice, and headphones can harbor volumes of bacteria from constant use. The number of bacteria is multiplied when computers are shared with other users. Remember, not everyone washes their hands as frequently as they should and often leave behind lots of unhealthy, gross stuff on the surface of whatever they touch!

Many good websites give step-by-step directions on how to safely clean computers and peripherals. One click is all you need to find out how to do the job the right way.

While you’re at it, why not clean out some of those old files that are no longer needed and free up some space on your computer? Removing old will also help speed up performance.

Need some help doing this? CCS is here to assist you! Call us today at 425-672-4806 or email us to get that spring cleaning done by experts!

Marlene

Testing Updates and Changes

Testing updates and Changes.

With the recent changes in requirements for credit card processors, NCR Retail Online going away, and others, there are a large number of people going through updates and changes. Many of these changes are quite significant. With that in mind, a word about testing those changes is in order.

The most common thing that I see is a lack of sufficient testing. For example, if you are changing your web store provider, there will be changes in how orders flow in and out of your ticketing system. It is not enough to test that orders come into your system. You also need to check that you can process those orders. It does not do any good to receive orders, and then not be able to process and complete them. The testing process needs to incorporate all aspects of the workflow.

  • Does the order come in with the correct information?
  • How about taxes?
  • Are the tax amounts correct when appropriate?
  • How about when taxes do not apply so that there is a zero
  • tax amount?

Those are all important, but that is just the beginning.

If that information is importing correctly, what about going forward.

You should test printing picking tickets, generating invoices, and everything all the way through posting those invoices. When that all goes through without a hitch, there is still more to do. Test canceling orders, and partial shipments. If you ever edit orders to add or remove lines, change a line quantity, or anything else, then those functions need to be tested also.

It takes some time and needs to be included in your schedule for everything else, but the more time spent testing changes and updates ahead of time, the smoother it will be when it comes time to implement those changes in your live system.

Dave

Staying Current on Your NCR Counterpoint Software

Staying Current on Your NCR Counterpoint Software.

With all the changes to security and PCI Compliance, it is a good idea to be and stay current on your NCR Counterpoint software. One example of why has just came to light recently.

To be PCI Compliant, the gateway which helps you process credit card transactions is being updated to support the latest encryption technology. With that update, your NCT Counterpoint software will also need to be updated. Not all version will be updated, but the latest version is almost always updated with a small patch or Service Pack which take only a few minutes to install. The older version of NCR Counterpoint (except two versions) will not be updated and will need to be brought up to a currently supported version of the software.

If you are running an older version of Counterpoint, there are a few things to consider. The first is to find out if your hardware and operation system will support both the updated version of Counterpoint and the new encryption technology being implemented. Second is time. Depending on what your current version is, the time it takes to upgrade can vary from 30 minutes to a few hours depending on how many workstations you have, how big of a jump from version to version you are going, and when you will be able to get the work done.

Although it is not always recommended to be on bleeding edge of technology, being somewhat current will save you time (and in return, money) on your next update.

-Bryan

The Disadvantages of Using Duplicate Document Numbers

The Disadvantages of Re-using Document Numbers

They are numerous reasons for not doing this as follows:

Typically, in most software applications, a document number is considered a Primary Key, so it should be considered “Unique” and would not be duplicated. However, there are some programs where it might be a Secondary key where multiples might be allowed, such as using a sequence Number, such as when using duplicate entries and historical tables such as Check History (e.g. checks, voids for the same checks, or manual payments, EFT transactions, etc.).

Even in situations where the programming might allow for this sort of thing, a duplication might cause other issues with software functionality, As examples.

  • GAAP – According to GAAP (Generally Accepted Accounting Practice) document numbers should also be considered unique. This also makes auditing easier. If an auditor sees a lot of duplicate documents, it may prompt the auditor to dig deeper looking for other accounting irregularities, thereby artificially extending the length of the audit.
  • The same Ticket/Invoice number exists in history multiple times – A user runs a report on ticket #20324 without having specified a date or date range. The subsequent report returns eight documents created over a period of 10 years.
  • Problems posting – I have seen examples where end-users have used the same invoice number dozens of times. When they try to post a new voucher using the same invoice number, the program may hang or crash while it attempting multiple times to create a “New” document for one that already exists to previously. As an example, the program might attempt to write the same document into history 10 times, and then just stop the attempts to write the new data.

The worst example of this that I have seen so far, is with one vendor that 21 manual payments on file using an invoice and check number of “SUPPLIES” – In this case, a better example would create the numbers would be something like “SUPMMDDYY” (e.g. SUP031518).

If you have any questions or need assistance with the creating your own document number assignment schema, please contact the CCS Retail Systems Support department.

– John

Recalculating Inventory in a Counterpoint Multi-site Environment

Recalculating Inventory in a Counterpoint Multi-site Environment

If you are using Counterpoint in a multi-site environment, care must be taken when it comes to running the Inventory Recalculate Quantities procedure. This procedure checks several of the quantity fields in the inventory tables, against the data in the rest of the tables. Fields such as quantity-committed, quantity-on-po, and quantity-on-transfers, among others, are checked and corrected if necessary. Note, that it will not adjust quantity-on-hand. That must be done via inventory adjustments.

The issue in a multi-site environment relates to how replication works. When a replication session starts with a remote site, it does not take a snapshot of the database. Rather, it goes through the list of tables and makes the appropriate updates as it processes the various tables. What this means as to the inventory quantity recalculations, is that after finishing replication, all of the data is not consistent as to the point in time that it represents, due to ongoing user activity.

To illustrate, let us look at the purchasing process and inventory quantities. The purchasing tables are processed by replication in the first half of the list of tables, while the inventory tables themselves are processed nearly at the end. This process leads to the possibility that a replication session will start, and get through the purchasing tables. Then while replication processes other tables, a user at the remote site posts a new purchase order. A bit later, the replication processes the inventory tables. In this case, after the replication is finished, the hub site has no records of the purchase order that was posted at the remote site. However, it does have updated inventory records showing a quantity-on-po. In the Inventory Recalculate Quantities is run at the hub at that point, the result would be to set the quantity-on-po to zero for all items on the purchase order that was posted (assuming that they are not on any other purchase orders). When replication runs again to the remote site, the purchase order will then be transferred to the hub. Also, the quantity-on-po that was set to zero at the hub will be sent to the remote. Now both the remote and the hub have an open purchase order, while the quantity-on-po for all of the items on that purchase order will be zero.

Inventory quantities should only be recalculated after replicating with the remote sites when no activity is occurring at those sites for the entire duration of the replication, avoiding this timing problem. Typically, this means that the recalculation must be run well after the remote site closes, or before they begin processing in the morning. Remember, it is not enough that the remote site has closed, and everyone has gone home. A replication must occur after they have closed and gone home. Only then will the recalculation routine have data that truly reflects the state of the data at the remote site. Most of the time, this means that the best time to run the recalculation is in the morning before users at the remote site start doing anything with Counterpoint.

Dave.

Physical Count Procedures and Equipment

Distribution Systems

Physical Count Procedures and Equipment

It’s that time of year again, Physical Count Time, and having the right equipment will help with quick and accurate counts.

CCS used to advise using an Optimus SP5500 PDT to do counts. It is simple, quick, and easy to use. Unfortunately, it has been discontinued and although there are still a few out there, they are getting harder to find.

CCS has been testing many different devices and have finally found one that is even easier to use. It is the AML LDX 10. There are many features that can be used that the Optimus did not have.

For example, with the AML device, it can be programmed to only allow keypad entry only for quantities, which eliminates barcodes scanned in as quantities, the user interface is easier to read and bigger and brighter.

It runs a compact version of the Windows OS, so it will also be more familiar looking to your users. It also has a touchscreen interface with bigger buttons for ease of use.

It also has a programmable barcode scanner and is USB connected for easy installation. Downloading of the information is also much more user-friendly and intuitive and multiple files can be saved for downloading all at once or one at a time.

Reviewing your work is also much easier and intuitive with on-screen directions and buttons for deleting and editing.

If you are ready to get your Physical Counts done quickly, contact the CCS Retail Systems Support Department at 800.672.4806 or email us for pricing. We also have units available to rent with advanced notice.

-Bryan

New TLS Patch Coming for 8.5.2.1

 

ViewPoint Newsletter | NCR
New TLS Patch Coming for V8.5.2.1 March 6th

Payment Card Industry Data Security Standards (PCI DSS) require all PA-DSS validated payment applications to discontinue the use of “early TLS” (i.e., all versions of SSL and TLS 1.0) by June 30th, 2018. For more information on this, please refer to the TLS 1.2 transition document. 

To comply with this requirement, NCR Secure Pay will no longer accept early TLS connections after 2:30 A.M. on June 5th, 2018. In addition to the previously mentioned updates to NCR Counterpoint V8.5.4 and V8.4.6, we will also be releasing a patch for V8.5.2.1 . Releases will are scheduled as follows: 

  • V8.5.4 Patch 002: Scheduled for 2/20/2018
  • V8.4.6.19 Service Pack: Scheduled for 3/6/2018
  • V8.5.2.1 Patch: Scheduled for 3/6/2018

We do not plan to release patches or Service Packs to support TLS 1.2 in other versions of NCR Counterpoint.

To prepare for the transition to TLS 1.2, you must first ensure that TLS 1.2 is supported and enabled on your workstations by following the appropriate steps for your operating system, as outlined in our TLS 1.2 transition document. 

Marilyn.