PCI DSS: POS Vulnerabilities
With article after article written about the infamous, January 2007 TJX data breach, many retailers and consumers may not know that the breach was allegedly a Point Of Sale (POS) breach.
In separate articles written for the IT Compliance Institute, Information Week and Storefront Backtalk, the suggestion was made that the attacks came from TJX's stand-alone job application kiosks.
Supposedly, hackers were able to physically remove the back of the kiosks, and, then, they used USB key drives to deliver malicious software not only at the kiosk level, but to the entire TJX network environment as well.
According to a post on Sladshot.com-an IT security Web site-an anonymous source, familiar with the case, said that the kiosks not only allowed individuals to apply for jobs, but it allowed unfettered access to TJX's network, because of a lack of firewalls.
Detecting and fixing problems at the POS level may seem like a no-brainer, when trying to control the dissemination and retention of sensitive data like credit card numbers, but it continues to be one of the biggest problem areas for retailers as they move toward PCI compliance.
"POS attacks are really heating up," wrote J. Andrew Valentine, a security expert with the Investigative Response Unit within Cybertrust, in a January 2007 article entitled, Hot or Not: Remote access breaches for SC Magazine.
"Within the last 12 to 18 months, the majority of cases involving network breach and subsequent data compromise occurring at merchant and restaurant networks were facilitated through the exploitation of legitimate remote access tools existing within those systems."
He continued, "These are legitimate tools installed on POS systems for remote administration, maintenance and break-fix situations by the vendors who sell and manage those systems. Often it's the business proprietors themselves who utilize these remote access tools. For instance, settling transactions from home falls under typical, legitimate usage."
According to Payment Card Industry Data Security Standards (PCI DSS) requirements, retail merchants should follow the 12 requirements, however Visa-via the Payment Application Best Practices (PABP)-adds an extra layer of guidelines for making retail merchant network environments safe.
The PABP is directed to software applications and those sellers and resellers of said software and POS terminals. PCI DSS compliance works hand-in-hand, and is derived from PCI DSS.
Merchants should be working with PABP-compliant software and PABP compliant seller or re-seller of POS terminals, according to VISA, though compliance is not mandatory at this time.
If that isn't confusing enough, VISA also creates and distributes bulletins on behalf of their Cardholder Information Security Program (CISP). These bulletins include information that works in conjunction with both PCI DSS and PABP.
PABP certification is not an easy task and it is intensive and expensive, however more and more merchants are taking that extra step, to prevent major breaches like that of TJX, Inc.
According to the PABP guidelines, only a Qualified Payment Application Security Professional (QPASP), from a Qualified Payment Application Security Company (QPASC) should perform an audit on the existing POS software.
Once the audit is complete, the QPASP should send the report to VISA, Inc., in a secure manner. A list of QPASCs is found at www.Visa.com/cisp.
Merchants engaging a third party such as an ASV, or QSA, should engage questions concerning POS vulnerabilities.
ControlScan, a PCI Security Council-approved scanning vendor, works with merchants-directly-as it relates to PCI DSS compliance.
"Almost half of data compromises are due to outdated versions of POS systems, " said Richard Stanton, chief technology officer for ControlScan.
Stanton believes that if companies readily followed PCI DSS and PABP, the savings for the company would far outweigh the financial burden of correcting a data breach after it happens.
"60 percent of customers do not typically return to a merchant where they have their card information stolen from, and a typical forensic research project costs around $10,000."
"Add to that that Visa can typically fine a merchant around $30 dollars per card lost, and it makes sense to take the time
Print this page
Send this page to a friend