Merchants 5 Step Guide
To PCI Compliance

   Step 1: An Introduction to PCI Compliance

   Step 2: Finding PCI DSS Level

   Step 3: Security Audits: 12 Requirements

   Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)

   Step 5: Completing the PCI DSS Self Questionnaire


 ISO / Acquirers 5 Step Guide
To PCI Compliance

   Introduction

   Step 1: Engage all resources

   Step 2: Identify and confirm a partner

   Step 3: Make your merchants aware of PCI Compliance

   Step 4: Supply tools to merchant

   Step 5: Implement and track

   Other considerations


 PCI COMPLIANCE
INFO

   New PCI Compliance 1.1 Standards

   PCI Compliant Basics

   PCI Compliance & Consumers

   Implementing PCI Compliance

   PCI Compliant Scan

   Further PCI Compliance Resources

   PCI Compliance Polls & Surveys


 PCI COMPLIANT
VENDORS

   Find PCI Scan Vendors

 About Us

   Contact Us

   PCI Compliance News

   SiteMap

   SSL Certificate

   EV SSL Certificate Guide






PCI DSS: POS Vulnerabilities

With article after article written about the infamous, January 2007 TJX data breach, many retailers and consumers may not know that the breach was allegedly a Point Of Sale (POS) breach.

In separate articles written for the IT Compliance Institute, Information Week and Storefront Backtalk, the suggestion was made that the attacks came from TJX's stand-alone job application kiosks.

Supposedly, hackers were able to physically remove the back of the kiosks, and, then, they used USB key drives to deliver malicious software not only at the kiosk level, but to the entire TJX network environment as well.

According to a post on Sladshot.com-an IT security Web site-an anonymous source, familiar with the case, said that the kiosks not only allowed individuals to apply for jobs, but it allowed unfettered access to TJX's network, because of a lack of firewalls.

Detecting and fixing problems at the POS level may seem like a no-brainer, when trying to control the dissemination and retention of sensitive data like credit card numbers, but it continues to be one of the biggest problem areas for retailers as they move toward PCI compliance. "POS attacks are really heating up," wrote J. Andrew Valentine, a security expert with the Investigative Response Unit within Cybertrust, in a January 2007 article entitled, Hot or Not: Remote access breaches for SC Magazine. "Within the last 12 to 18 months, the majority of cases involving network breach and subsequent data compromise occurring at merchant and restaurant networks were facilitated through the exploitation of legitimate remote access tools existing within those systems."

He continued, "These are legitimate tools installed on POS systems for remote administration, maintenance and break-fix situations by the vendors who sell and manage those systems. Often it's the business proprietors themselves who utilize these remote access tools. For instance, settling transactions from home falls under typical, legitimate usage."

According to Payment Card Industry Data Security Standards (PCI DSS) requirements, retail merchants should follow the 12 requirements, however Visa-via the Payment Application Best Practices (PABP)-adds an extra layer of guidelines for making retail merchant network environments safe.

The PABP is directed to software applications and those sellers and resellers of said software and POS terminals. PCI DSS compliance works hand-in-hand, and is derived from PCI DSS.

Merchants should be working with PABP-compliant software and PABP compliant seller or re-seller of POS terminals, according to VISA, though compliance is not mandatory at this time.

If that isn't confusing enough, VISA also creates and distributes bulletins on behalf of their Cardholder Information Security Program (CISP). These bulletins include information that works in conjunction with both PCI DSS and PABP.

PABP certification is not an easy task and it is intensive and expensive, however more and more merchants are taking that extra step, to prevent major breaches like that of TJX, Inc.

According to the PABP guidelines, only a Qualified Payment Application Security Professional (QPASP), from a Qualified Payment Application Security Company (QPASC) should perform an audit on the existing POS software.

Once the audit is complete, the QPASP should send the report to VISA, Inc., in a secure manner. A list of QPASCs is found at www.Visa.com/cisp.

Merchants engaging a third party such as an ASV, or QSA, should engage questions concerning POS vulnerabilities.

ControlScan, a PCI Security Council-approved scanning vendor, works with merchants-directly-as it relates to PCI DSS compliance.

"Almost half of data compromises are due to outdated versions of POS systems, " said Richard Stanton, chief technology officer for ControlScan.

Stanton believes that if companies readily followed PCI DSS and PABP, the savings for the company would far outweigh the financial burden of correcting a data breach after it happens.

"60 percent of customers do not typically return to a merchant where they have their card information stolen from, and a typical forensic research project costs around $10,000."

"Add to that that Visa can typically fine a merchant around $30 dollars per card lost, and it makes sense to take the time

pci compliance asv




pci compliancePrint this page

Send this page to a friend

|  Home  |  About PCI Compliance |  For Acquirers |  Find PCI Compliance Solutions | 
|  Preventing Data Breaches |  Managing Data Breaches |  Contact Us |    EV SSL Certificate Guide | 
© 2008 PCI Compliance Guide.org
   All right reserved - do not copy any material without written permission.