Does the following thought process sound familiar? “The faster I can install this new point of sale (POS) system for this merchant, the better.” With POS systems, faster isn’t always better.

On occasion, POS systems aren’t properly configured right out of the box, which can lead to devastating malware being uploaded onto the merchant system. In other cases, the POS device itself may be missing crucial security patches.

The bottom line is, you can’t just plug a POS system in a merchant environment without taking certain precautions. So how do you compensate for a not-so-secure POS system before you install it in a cardholder data environment? Whether you are installing POS systems for your merchants, or simply advising them on good security practices, here are important topics to consider.

POS systems and their security age pretty quickly. Every second that passes after a released update isn’t installed, the system falls further and further from security and compliance.

Chances are if a merchant is running an old POS system in their environment, it’s riddled with vulnerabilities. Maybe they missed a few security patches along the way. Or maybe it’s no longer supported by the manufacturer.

Even if you installed a new POS system for your merchants every week (a ridiculous idea, I know), their security wouldn’t be foolproof. Technology increases so rapidly that by the time you unwrapped the system and plugged it in, a new update may be waiting to be installed.

That’s why updates are so important to maintaining point-of-sale security. I recommend going to the POS manufacturer website to discover the most recent patches and updates for the device right before you install it. Who knows what new security updates may have been pushed?

Secure POS systems can become immediately infected if placed in an insecure merchant environment. That’s why you should ensure the merchant’s payment processing environment is tested for vulnerabilities immediately prior to and after POS installation.

The best way to test for system weakness is through a vulnerability scan offered by an Approved Scanning Vendor (ASV), but it’s not enough just to scan and find problems. The problems must be fixed. Ensure the merchant remediates their vulnerabilities before POS installation.

Avoid the “install now and scan later” mentality. Many vendors, installers, and merchants fall into the trap of assuming the most recent vulnerability scan covers any problems…even if it was conducted weeks before.

The problem with this assumption is that hackers constantly scan the Internet for holes. As soon as they find holes, they exploit them. Not patching holes immediately before installation could mean the security of that shiny new POS system was doomed from the beginning.

Making sure the merchant resolves any issues they find in their vulnerability scan immediately prior to installing any new technology will save them a lot of heartache in the long run. It may even save them from a crippling data breach.

Many merchants believe security is being taken care of by someone else (whether it’s their IT guy or their processor) and thereby means it’s not their problem. They may even think their agent or POS installer takes liability if something goes wrong. As you well know, this is completely false.

It is always the merchant’s responsibility to make sure a POS system is secure, fully patched, and void of known vulnerabilities. That means it’s also the merchant’s responsibility to pay for any breaches that result from an insecure POS system.

If you need help with POS configuration, vulnerability scanning or security patch installation, contact the POS manufacturer or your PCI partner who will be happy to help you secure your merchant’s POS environment.

Matt Brown is a Director of Business Development at SecurityMetrics.