Retail PoS (point of sale) systems are responsible for processing customers’ payments and are able to scan credit cards so that customers don’t have to pay with cash. As a society, we generally carry far less cash today, relying more on debit or credit cards as a convenient, fast and ostensibly secure form of payment.

If your retail business uses a computer-based PoS system, it may become a target for what is known as ‘RAM scraping’ malware attacks. These can capture and steal a customer’s data, such as PINs and other confidential details when they scan their debit or credit card. The information is stored in the PoS system’s random-access memory, known as ‘RAM’.

How does PoS malware work?

The popularity of payment cards has led to data theft, a common crime with immediate monetary benefits to the cybercriminal. The objective of PoS malware is for attackers to maliciously steal the data stored in payment cards’ magnetic stripes, clone the cards and charge the accounts connected with the victim.

shot of an unidentifiable hacker cracking a computer code in the dark


The payment card industry uses a set of security standards that enforce end-to-end encryption of sensitive payment data, which comes from the card’s magnetic strip or chip when it’s transmitted, received or stored. However, PoS malware often looks for security lapses to enter the system, such as default login credentials or compromised partner systems. Once inside, the PoS malware can select which data to steal and upload to a remote server.

What is RAM scraping malware?

The definition of a RAM scraping attack – a form of PoS malware – is the intrusion into a retail transaction terminal’s RAM. The malware scans and ‘scrapes’ the memory and temporarily stored data off devices, simply stealing unencrypted information as the scrapers move through the system.

RAM scraping is a threat that not only affects the retail industry, but any firm that processes large volumes of consumer payment cards. This ranges from leisure and hospitality, to banking and insurance.

This form of cybercrime has affected retail merchants and consumers for many years. The global payment card firm Visa issued the first documented RAM scraping attack in October 2008. Security staff discovered that hackers had gained access to PoS terminals that process consumer transactions using Visa’s cards. The hackers were able to access unencrypted client information from the terminals’ RAM in an attempt to dump credit card data.

But PoS malware does come with limitations: the stolen information cannot be used to make purchases online. The magnetic strip (known as track 1 and track 2 data) and the chip do not contain the CVV2, the three-digit code on the card that’s required for online shopping. To use the stolen information, a person has to physically clone the credit card.

A notable PoS malware attack

PoS malware received a lot of attention from the public after it was revealed that US retailer Target suffered a massive data breach in 2014. It affected the payments, transactions and other personally identifiable data of an estimated 110 million customers – nearly a third of the US population. Analysis indicated that the malware involved in this breach was detected as part of the BlackPOS/Katoa malware family.

Hacker using laptop computer at desktop with glowing circuit padlock sign on blurry office interior background. Safety, secure, hacking and online prtection concept. Double exposure


Protection from a PoS malware or RAM scraping attack

PoS malware is undoubtedly more of a concern for retailers than for consumers. According to Statista, the number of malware attacks worldwide reached 2.8 billion during the first half of 2022. In 2021, there were 5.4 billion malware attacks detected. In recent years, the highest number of malware attacks was detected in 2018, when10.5 billion attacks were reported worldwide.

However, consumers should still be vigilant about protecting their bank accounts. Regular monitoring of bank statements is a good way to check for fraudulent purchases, data breach or not. We also recommend real time identity theft monitoring.

RAM scrapers are intended to detect, capture and exfiltrate credit and debit card data from endpoints that process and store it. Securus recommends the following safeguards to protect against PoS malware attacks:

1) Secure passwords

Using strong passwords can help reduce the chance of infection. Passwords are required for PoS systems. If a hacker has access to a PoS system’s admin password, they may be able to install RAM-scraping malware on it. Creating a strong password will keep the PoS system secure, decreasing the chance of RAM-scraping malware infiltration. Securus recommends a password manager approach which is a software application designed to store and manage online credentials.

Two-factor authentication with fingerprint touch identification security concept for Secure and reliable access to the network, websites, mobile banking or applications. Cyber security, Protect data


2) Two-factor authentication

Use two-factor authentication (2FA) when accessing the payment processing networks. Even if you have a Virtual Private Networking (VPN), it’s also important to implement 2FA to help mitigate key logger or credential dumping type of attacks. As a minimum, all financial applications should have 2FA as your first line of defence.

3) Update software regularly

A simple way to avert a compromise is to deploy security fixes to software and hardware systems on a regular basis. Software companies release patches and improvements for their operating systems all the time. Routinely updating patch operating systems and software with security upgrades enable access to the latest security measures for added peace of mind.

4) Block remote access

Consider blocking remote access to all of the company’s PoS systems. SMEs rarely require this functionality, so it can be disabled for added security protection.

5) Use anti-phishing and anti-malware solutions

Spear-phishing emails and the presence of malware continues to be one of the most common PoS RAM scraper infection methods. Anti-phishing software detects and prevents phishing emails while anti-malware solutions scan files to identify, stop and remove harmful software from computers such as viruses, Trojans and worms.

Firewall and internet security concept, Person hand touching VR screen protection icon on office desk, Data protection and network security, insurance business.


6) Endpoint protection solutions

Endpoint Protection (EPP) is a security solution that detects and blocks endpoint device-level threats. This keeps track of who has accessed data, as well as what changes were made. They often combine antivirus capability with firewalls, anti-malware, Virtual Private Network (VPN) data encryption and Data Loss Prevention (DLP). On a per device, per month basis, this protection is hugely cost effective.


PoS malware attacks have grown enormously over the past few years and have shown to be more harmful to companies than virtually any other danger. It remains a major threat for businesses and individuals where credit cards represent the primary payment processing mechanism.

If you want to find out more about how Securus can help you prevent such damaging attacks, please call us on 03451 283457, or visit

Get In Touch

SD-WAN, Anti-Malware, Next Generation Anti-Virus, SASE and Immutable Backup, Securus has a security solution to suit your requirement and budget.

Let’s discuss your latest network security requirements in more detail.