Make it Easy to Protect IDs and Passwords

I've observed and interviewed hundreds of POS users and their managers across North America and Europe, and I consistently see gaps in security due to poorly designed technology. The problem almost always comes down to one fact: It's too difficult (or too time consuming) to follow company security guidelines.

In very many cases, the company itself has set up a conflict in employees' priorities. On one hand, they are told do serve the customer quickly and efficiently; and on the other hand, they are told to take extra time to lock their computer as they leave the station, to enter a user ID and password when they return (or sometimes before each transaction), etc. Given a conflict in priorities, employees have to choose one or the other...and more often than not, they opt for the less secure option.

The key, then, is to provide mechanisms that allow users to be secure without compromising speed or other company priorities. Technologies such as badge readers and biometric devices can help make it easier for users to protect their personal information. If these are not available or they don't fit your particular need (e.g., if there is a concern over employe badge sharing), you should look for ways to reduce the needed interaction with the system without reducing security.

For example: at one client, employees were supposed to log out when they left their station, thus ensuring that the next person would have to enter their employee ID and password before ringing transactions. A system timeout would also log out the current user after 90 seconds. The problem was, however, that both their user ID and password consisted of a very long series of numbers, and the original UI was such that it invited errors. So, employees would often return to the computer with a couple of customers in line, and in their haste to log back on, they would make mistake after mistake, slowing them down even more.

One of their workarounds was to pretend to start a new transaction using an option that had no monetary value. This prevented the time-out feature from kicking in and avoided the embarassing situation of being unable to quickly log in when they returned.

Our replacement POS fixed the problem in several ways: First, we made the keypad easier to use so as to minimize errors. Then, we eliminated the need to enter the employee ID (employees knew each other's IDs anyway), and instead, they simply had to select their name from among the few who were assigned to the register. Finally, we increased the delay before timeout, reducing the liklihood that the system would perform an auto-logout between customers.