Six Lines

Point of Sale Terminals and Open Source Software

Posted by Aaron Massey on 16 Jan 2014.

I’m a huge supporter of open source software, but I believe that most businesses still fail to recognize when open source software may help them solve real problems better than proprietary software. Actually, most business don’t even realize that they are in the software business. The key takeaway from Marc Andreessen’s Software is Eating the World theory is that a lot of businesses that don’t think of them as being the software business really are in the software business.

Let’s take Target as an example. They recently had a massive data breach and it’s huge news that has the potential to seriously hurt their future business. (Shopping at Walmart is cheaper anyhow…) How did this happen? Brian Krebs takes a first look at it and concludes the breach resulted from malware installed on their Point of Sale terminals. Target’s data breach isn’t the first company to have a data breach. The TJ Maxx data breach cost $256 million, and the Heartland data breach cost $140 million. These are numbers big enough to justify considering software a core part of any business.

Even if Target were to embrace the fact that they are a software company, why should they consider open source software? For Target, software isn’t a huge business differentiator. Most people don’t decide to shop at Target because their point of sale terminal software is awesome. They might stop shopping there for a while because of the bad press, but they will eventually forget. People still shop at TJ Maxx. Open source software works best when the software isn’t a business differentiator. If you’re selling an app on some app store, then you probably don’t want to open source it. Most of the time, that won’t work out well for you financially. However, if you’re selling clothes, home goods, office supplies, and electronics in a brick and mortar store, then it’s unlikely that the software on your point of sale terminal is going to be a differentiator for your business.

Target is already paying someone to do this software for them. IBM sells point of sale terminals. Microsoft sells them too. It’s not like Target is getting them for free. Why not pay your own engineers to build and maintain these systems? They could be customized to work with Target’s stores, employee needs, and website. IBM and Microsoft care about security, but they don’t care enough to pay the inevitable several hundred million dollar fine resulting from this breach. Target hasn’t been forthcoming about where they got their point of sale termials, but I would be surprised if the company that sold it to them is liable for this. Any company that doesn’t have physical access to a system should not to sign a contract making them liable for security violations on that systems. A software engineer on salary at Target would be liable; they would have their job on the line.

If Target chose to go the open source route, they wouldn’t be doing it alone. Open source point of sale terminals are being used by real businesses. Even if Target was the largest company using the software, they could still benefit greatly from contributions from the long tail of other businesses using the software. That’s how open source works. Red Hat had a billion dollars in revenue, and according to the Linux Foundation, they are the single largest contributor to the Linux kernel. However, their contributions are less than 12% of the total! The rest comes from the open source community. How many other brick and mortar retailers would benefit from hiring a small staff of software engineers to develop, deploy, and maintain their point of sale terminals?

Linux is some of the most secure, best developed software on the planet, in no small part because of the number of people who share an interest in making it as secure as possible. Security should be a primary concern for all the developers who work on and companies that use any open source point of sale terminal. Target’s employees would be particularly concerned with security if they were hired to work on this software as a response to this breach. Heck, customers should be concerned about the security of this software. They are the ones who are directly affected by the data breach. It’s their personal information that would be breached. Academics would be interested in this software as a real-world example of software with serious security and privacy concerns.

I’d love to see Target make a big investment in open source point of sale terminals. They could hire a respected, experienced software developer to lead this team, and cast it directly as a response to this data breach. They would be taking responsibility in a way that goes beyond big fines and promises to do better in the future. It wouldn’t be cheap, but then neither is a several hundred million dollar fine. And neither are the security and privacy concerns of their customers.