Cybercriminals continue to target payment systems with one goal: to steal credit and debit card data. Despite stronger regulations and better payment technologies, point-of-sale (POS) attacks remain one of the most persistent and costly threats for retailers and merchants worldwide.

‍

What Are POS Attacks?

A point-of-sale attack happens when cybercriminals compromise payment terminals or the systems connected to them to capture customer card data during transactions. Stolen card data is commoditised and sold within hours on criminal marketplaces, feeding an underground economy of payment fraud and identity theft.

Research consistently shows that POS attacks have led to millions of stolen bank cards globally. As attackers evolve, they are moving away from traditional malware and toward techniques that directly target POS infrastructure — and increasingly, ecommerce checkout flows.

‍

How Attackers Steal Card Data

Criminals use several methods to capture payment information at the point of sale. The most common are skimming, POS malware, and ecommerce JavaScript injection.

1. Software (Malware) Skimming

Malware is secretly installed on POS systems to monitor memory for plaintext card data. When customers make payments, the malware intercepts the data during the brief moment it appears unencrypted before authorisation completes. This window can last only a few seconds, but it is long enough for attackers to capture card numbers, expiry dates, and security codes.

2. Hardware Skimming

Hardware skimmers are small physical devices inserted into legitimate card readers. When a customer swipes or inserts their card, the skimmer reads the magnetic stripe or chip data at the same time as the authorised reader, silently copying every transaction. These devices are often found at self-service checkouts, ATMs, or fuel pumps.

3. Magecart and JavaScript Injection (ecommerce)

As chip-and-PIN adoption has made card-present fraud harder, attackers have moved upstream. Magecart-style attacks inject malicious JavaScript into online checkout pages to skim payment details as customers type them. These scripts can run silently on compromised ecommerce platforms for months before detection, exfiltrating card data at scale with no physical access required. The same discipline that protects POS environments must now extend to digital storefronts.

‍

Why POS Attacks Still Happen

Even as chip-and-PIN (EMV) cards have largely addressed card-present cloning, POS attacks continue for several reasons:

• Legacy POS systems often lack the latest security updates.
• Insecure supply chains can introduce compromised hardware before it reaches the shop floor.
• Weak physical security allows terminal tampering in unmanned environments.
• Limited monitoring of POS networks delays detection of breaches — often by weeks or months.
• The shift to ecommerce has opened new attack surfaces that traditional POS security tooling does not cover.

‍

Compliance Versus Real Security

The Payment Card Industry Data Security Standard (PCI DSS) was developed to protect cardholder data and define best practices for merchants. While PCI DSS compliance is a crucial baseline, passing an audit does not guarantee full protection.

True security requires continuous monitoring, vulnerability management, and a proactive approach that extends beyond compliance checklists. Attackers change their methods constantly, so defences must also adapt. A compliance programme and a security programme are not the same thing — the strongest retailers treat PCI DSS as the floor, not the ceiling.

‍

How to Prevent POS Attacks

Merchants can reduce the risk of POS attacks by strengthening both technical and physical defences.

1. Secure the Physical Environment

• Use tamper-evident seals and inspect all POS terminals regularly.
• Monitor supply chains for counterfeit or modified hardware.
• Restrict access to POS devices to authorised staff only.

2. Implement Strong Network Security

• Segment POS systems from corporate or guest networks.
• Use firewalls and threat intelligence-led detection to monitor traffic between POS devices and servers.
• Encrypt data from the card reader to the payment processor.

3. Maintain PCI DSS Compliance and Go Beyond

• Keep POS software and firmware up to date.
• Conduct regular penetration tests and vulnerability scans.
• Apply least-privilege access controls for staff and vendors.

4. Monitor for Anomalies

• Set up real-time alerts for unusual transaction patterns.
• Track physical terminal swaps or hardware changes.
• Work with a Managed Detection and Response provider for 24/7 monitoring across both physical and digital payment environments.

5. Extend Coverage to Ecommerce

• Audit third-party JavaScript loaded on checkout pages regularly.
• Implement Content Security Policy (CSP) headers to restrict unauthorised scripts.
• Monitor for unexpected outbound connections from ecommerce infrastructure.

‍

Key Takeaway

POS attacks are not a solved problem. They are an ongoing discipline — one that requires continuous monitoring, not periodic audits. As attackers have moved from physical skimmers to software-based POS malware to JavaScript injection on checkout pages, the attack surface has grown. The retailers who stay ahead are those who treat detection and response as an operational function, not a compliance exercise.