However, businesses are far less vulnerable to any data breach if they move to end-to-end encryption, according to Rice. That means encrypting the customer's data throughout the entire payment process, including the moment the credit card is swiped.
"This technique can help close any loopholes and vulnerabilities within the system," Rice said.
A countertop Ingencio checkout terminal.
Earlier this year, HPE Securty announced a partnership with Ingenico, a maker of payment checkout devices, on an end-to-end encryption product for businesses.
To better protect payment data, Hewlett Packard Enterprise Security also provides tokenization, a process of replacing the processed payment card data with digital placeholders, known as tokens. Both this and encryption can be used in combination to reduce the risk of data theft, Rice said.
Unfortunately, when businesses select the point-of-sale system they wish to buy, they rarely think of security, said Charles Henderson, the head of X-Force Red, a security testing team at IBM.
"Most companies assume when they buy a point-of-sale system, they're buying something secure," Henderson said. Buyers also tend to conflate security with a product's compliance to industry standards, but that's not always true, he added.
Henderson's team routinely tests point-of-sale systems to look for vulnerabilities. Often, his team finds them when the business assumed its system was secure because of its industry compliance.
In addition, many of these point-of-sale products are installed by third-party resellers that may not specialize in security. These factors can put businesses at risk, he said.
To prevent this problem, Henderson advises that businesses hire a security specialist to test that their point-of-sale system for any vulnerabilities. Most mainstream point-of-sale system products can be secured with the right implementation, he added.
That testing also goes for security products. Although encryption and other malware-fighting tools can prevent data breaches in point-of-sale systems, they're practically useless if they aren't properly installed, Henderson said.
"They're not bullet proof. The devil is in the implementation," he said.
Sign up for Computerworld eNewsletters.