What to Do If Your Retail POS System Gets Hacked: An Emergency Checklist

Let's grow your business today!

What to Do If Your Retail POS System Gets Hacked An Emergency Checklist

A hacked POS system is a serious incident that requires fast, organized action. Every minute the breach continues, payment card data from your customers may be at risk. What you do in the first hours after discovering a retail cybersecurity incident determines how much damage is contained, what your legal obligations are, and whether your business can recover customer trust.

This guide provides a practical emergency checklist for retail businesses dealing with a suspected or confirmed POS system breach, along with context for why each step matters.

POS card payment terminal

Signs Your POS System May Have Been Compromised

Recognizing a Breach

What to Look For

  • Unusual activity on your payment processor account such as unexplained chargebacks or disputed transactions
  • Your processor or acquiring bank contacts you about suspicious activity on cards used at your location
  • Customers report fraudulent charges shortly after shopping with you
  • POS software behaves unexpectedly: slow performance, crashes, unfamiliar processes running
  • Network activity at unusual hours or from unfamiliar IP addresses
  • Staff report unauthorized access attempts or unfamiliar devices attached to POS hardware

The Emergency Response Checklist

Phase 1: Contain the Incident

Step 1: Do Not Turn Off or Wipe Systems Immediately

The instinct when discovering a breach is often to shut everything down immediately. Resist this if you can. Turning off systems or wiping them before evidence is preserved can destroy information needed for forensic investigation and may complicate your insurance claim. Contact your payment processor and a cybersecurity professional before making any changes to affected systems.

Step 2: Isolate the Affected System from the Network

While preserving the system itself, disconnect it from your network to stop any ongoing data exfiltration. Unplug the ethernet cable or disable the network connection on the affected POS terminal without powering it down. This stops the breach from continuing without destroying forensic evidence. Businesses that have an offline processing capability in place may be able to maintain limited operations during an incident, which is one reason many retailers invest in systems with reliable offline functionality. Read more about how offline POS mode works.

Step 3: Stop Processing Cards on Compromised Equipment

Immediately stop processing card payments on any terminal you believe to be compromised. If you have additional terminals or can switch to manual card-not-present transactions through a separate secure channel, do so. Continuing to process payments on compromised equipment continues to put customer data at risk.

Step 4: Contact Your Payment Processor

Your payment processor has specific protocols for merchant data breaches. Call them immediately and report the incident. They will guide you on next steps, may temporarily suspend your processing capability to protect customers, and will initiate their own review process. This call is one of the most important steps in the first hour.

Phase 2: Assess and Document

ActionWhy It MattersWho Does It
Preserve system logs and evidenceNeeded for forensic investigation and insurance claimsDo not delete; notify IT or cybersecurity professional
Document everything observedTimeline of events is critical for investigationBusiness owner or manager, immediately
Identify the timeframe of potential exposureDetermines which customer transactions may be affectedWith payment processor and IT support
Change all administrative passwordsPrevent continued unauthorized accessDo immediately on unaffected systems
Review who had physical and system accessInsider threats are a common breach vectorManagement review
Check all terminals for physical tamperingSkimming devices may be attached to card readersPhysical inspection of all hardware

Phase 3: Notify Required Parties

Step 5: Notify Your Acquiring Bank

Beyond your payment processor, your acquiring bank needs to be informed of the breach. They have obligations to the card networks and will initiate their own processes. Delaying notification can increase your liability and complicate the resolution process.

Step 6: Understand Your Breach Notification Obligations

Payment terminal at counter

Most US states have data breach notification laws requiring businesses to notify affected customers when their personal or financial data may have been compromised. These laws vary by state in terms of notification timeline, content requirements, and who else must be notified (state attorney general, credit bureaus). Depending on the scope of the breach, you may also have obligations under PCI DSS. Consult a legal advisor who understands data breach law in your jurisdiction.

Step 7: Consider Notifying Customers

Even if you are not certain that customer data was accessed, proactive and honest communication with customers builds more trust than a delayed disclosure forced by external pressure or media coverage. Keep the communication factual: what happened, what you know, what you are doing about it, and what customers should do to protect themselves.

Phase 4: Investigate and Remediate

Step 8: Bring in a Qualified Forensic Investigator

For any breach involving payment card data, a qualified forensic investigator can determine exactly how the breach occurred, what data was accessed, how long the breach was active, and what remediation is required. PCI DSS may require you to engage a qualified security assessor. Your payment processor or acquiring bank can provide guidance on this requirement.

Step 9: Remediate Before Resuming Full Operations

Do not resume normal card processing on affected systems until the investigation is complete and the security vulnerabilities have been addressed. This may mean deploying replacement hardware, updating software, reconfiguring network security, or rebuilding compromised systems from scratch. Rushing back to normal operations before remediation is complete risks a repeat incident.

Retail Cybersecurity Incident Response: Key Contacts to Have Ready

  • Payment processor: emergency contact number should be in your processor agreement
  • Acquiring bank: contact information from your merchant account documentation
  • Cybersecurity or IT professional: ideally identified before an incident occurs
  • Legal counsel familiar with data breach law in your state
  • Business insurance provider: cyber liability insurance may cover breach costs

How to Reduce the Risk of a Future POS Breach

Contactless grocery payment

Prevention Is Better Than Response

The Most Impactful Preventive Steps

Most POS system hacks exploit preventable vulnerabilities. The most common entry points are unchanged default passwords, unpatched software, poorly secured networks, and physical tampering with card reader hardware. A modern POS system that uses end-to-end encryption, operates on a segmented network isolated from other business systems, runs current firmware and software, and has strong unique passwords on every administrative account is significantly harder to compromise than one that does not.

Preventive ActionWhat It Protects AgainstPriority
Change all default passwords immediately on setupRemote access attacks using published default credentialsCritical
Segment POS network from general business WiFiLateral movement from compromised non-POS devicesHigh
Keep POS software and firmware updatedKnown vulnerabilities exploited by attackersCritical
Inspect card readers daily for attached devicesPhysical skimming devicesHigh
Enable end-to-end encryption on all terminalsInterception of card data in transitCritical
Restrict administrative access to POS systemsInsider threats and unauthorized accessHigh
Complete annual PCI DSS Self-Assessment QuestionnaireIdentifying security gaps before attackers doRequired

Beyond software updates and password management, businesses should also regularly inspect their payment devices and supporting infrastructure for signs of tampering or outdated security controls. Maintaining secure and up-to-date POS hardware and payment systems is an important part of reducing long-term security risks.

Final Thoughts

Discovering that your retail POS system has been hacked is a serious situation, but organized response significantly reduces the damage. The most important principles are: contain the breach before destroying evidence, notify your payment processor immediately, understand your legal notification obligations, and do not resume full operations until the vulnerability is fully addressed.

The businesses that recover from POS data breaches with their customer relationships intact are almost always the ones that responded quickly, communicated honestly, and took the incident seriously from the first moment.

Swyft POS provides retail POS solutions built with security as a foundation, not an afterthought. If you want to understand how your current system handles security risks, reach out to us.

FAQs

1. What should I do immediately if my POS system is hacked?

Isolate the affected system from the network without powering it down, stop processing cards on compromised equipment, and contact your payment processor immediately. Preserve system logs and evidence before making any changes, and document a timeline of everything you observed.

2. Do I have to notify customers if my POS system is breached?

Most US states require notification to affected customers when personal or financial data may have been compromised. The specific requirements vary by state. Consult a legal advisor familiar with data breach notification law in your jurisdiction as soon as you confirm a breach.

3. What is the most common way POS systems get hacked?

The most common vectors are unchanged default passwords that attackers exploit through remote access, unpatched software with known vulnerabilities, poorly secured networks that allow lateral movement from other devices, and physical skimming devices attached to card reader hardware.

4. Will my business insurance cover a POS data breach?

It depends on your policy. Cyber liability insurance typically covers breach response costs including forensic investigation, customer notification, and legal fees. Standard general liability policies usually do not cover cybersecurity incidents. Review your current coverage and consider adding cyber liability coverage if you accept card payments.

5. How long should I take POS terminals offline after a breach?

Affected terminals should remain offline until a qualified forensic investigation is complete and the specific vulnerabilities are fully addressed. The timeline varies by the complexity of the breach but rushing back to normal operations before remediation is complete risks a repeat incident.

Make Selling Simple with Mobile POS Payments

Running a store isn’t easy, and your tools should make it simpler, not more stressful. By allowing you to handle sales, inventory, and customers in one location, Swyft POS relieves stress. Everything is available when you need it with mobile pos payments, whether you're reviewing your figures, ringing up people, or simply attempting to keep organized.

Speed Up Checkout

Track Sales and Stock Easily

Create Personalized Experiences

Catch Issues Before They Cost You