Processor ® Free Subscription
Used HP, Used IBM, Used Compaq, Used Cisco, Used Sun
Home |  Register |  Contact Us   
This Week's Issue
Browse All Issues
Search All Articles
Product News & Information
Company
News & Information
General Feature Articles
News
Opinions



Tech & Trends Email This
Print This
View My Personal Library

General Information Add To My Personal Library
November 2, 2007 • Vol.29 Issue 44
Page(s) 23 in print issue

PCI Compliance Challenges
Keeping Point-Of-Sale Equipment Secure
While credit card commercials show lines of dancing shoppers merrily swiping their credit cards and extolling the convenience of a cashless society, they do not discuss the very real threat of identify theft at the cash register.

Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at PoS (point-of-sale) systems.

Lock It Down

“These point-of-sale systems can be vulnerable to exploitation if not properly locked down,” Chauhan says. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”

“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS [Windows Embedded for Point of Service], and Linux,” Chauhan observes.

According to Chauhan, greater system flexibility and quicker development time has created security risks for PoS equipment owners.

Some Systems Are Vulnerable

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm specializing in information security and compliance management solutions, agrees with Chauhan that many but not all PoS systems are vulnerable to exploitation.

“A little dial-up swipe machine is a low-risk device,” McCullen says. “PoS equipment more prone to vulnerable exploitation are those that are computer-based and/or have Internet access; the risk lies in those two prime factors.”

According to McCullen, if a PoS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

Chauhan points out other vulnerabilities. She claims that because today’s PoS systems are similar to networked PCs, they require constant patching. Chauhan says embedded systems have also become vulnerable to unauthorized and inappropriate changes as they are handed off to others in the distribution channel. This often results in malfunctions and can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Chauhan and McCullen agree that PoS equipment faces some unique challenges when complying with the PCI DSS.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. Antivirus software can be very high overhead for a low-footprint PoS system, she notes; however, change control software can eliminate the need for antivirus software.

For example, Chauhan explains that NEC Infrontia installed change control software on its PoS offerings and thus prevented unauthorized code from breaking unpatched systems. This allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, Chauhan notes.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

“It is difficult for PoS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and get put into production at the retail location,” Chauhan observes.

According to Chauhan, StoreNext (www.storenext.com), a large supplier of technology and PoS systems for independent grocers and small chains, solved PCI DSS Requirement 6 patching challenges by embedding Solidcore change control in its systems.

“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other thorny areas include data encryption and user-based access controls, McCullen states.

Armored POS Systems

McCullen says that merchants can determine if their POS systems meet compliance requirements by checking out Visa's Payment Application Best Practices, which can be found online in the Cardholder Information Security Program (CISP) section under the Risk Management heading on Visa’s Merchants site (usa.visa.com/merchants). The CISP section’s Tools And FAQ page also includes helpful information, including a list of payment applications that have been validated by Visa.

“Those POS software-based systems that have been validated with the Visa Payment Application Best Practice (PABP) are more resistant to an attack,” McCullen says. “For hardware-based devices like pin pads, certification of compliance through the Payment Card Industry (PCI) Pin Encryption Device (PED) would lower risk of exploitation.”

Merchants who would like to use QSAs (Qualified Security Assessors) to validate their POS systems should consult a list of QSAs that Visa says are certified to perform Payment Application Security Assessments. The list can also be found on the CISP Tools And FAQ page.

Chauhan suggests that to determine if their existing POS equipment and software is PCI-compliant, SMEs should ask their POS system providers what types of security measures are in place on the POS systems. Merchants should ask their POS dealers to furnish a report of what software applications are running on the POS systems, Chauhan says.

“With change control software like the type Solidcore offers, this type of visibility and reporting is easily done,” she notes.

Reverse The Curse

Merchants can counter the POS security breach trend by adopting systems validated by recognized standards, such as Visa’s PABP. Using low-resource technologies, such as change control and traditional security controls, can help mitigate the risk of data exposure.

by Bill Hayes


NRF Says No To Holding Credit Card Numbers

Last month, the National Retail Federation Senior Vice President and CIO David Hogan sent an open letter to the Payment Card Industry Security Standards Council stating that retailers should not be storing credit card data. Hogan wrote that the only data that retailers should retain for credit card payment disputes is an abbreviated receipt with its credit card transaction code.

Gartner Group distinguished analyst and Vice President Avivah Litan agrees. A former World Bank manager of 15 years, Litan says that the NRF’s suggestions make sense.

“The banks and processors are the companies earning the revenue from fees merchants pay to accept card payments; a big chunk of those merchant fees go to cover risk and fraud, so they are already paying for continuing security,” Litan explains. “It’s time for them to get what they pay for.”

According to Litan, the card industry should update the payment protocols for stronger security. “Everything would have to change in the process flow to accommodate the new designtechnically, it’s simple; logistically, it would take a lot of time and would require a lot of moving parts to come together,” Litan says.

“But in the end, it would take less time, work, and money than compliance with the current PCI requirements demand,” Litan notes. “And it’s the right strategy to take. Everything else is putting (bandages) on the old problemsthe right way to proceed is to change the payment system and take card account data out of retailer systems.”


Share This Article:    del.icio.us: PCI Compliance Challenges     digg: PCI Compliance Challenges     reddit: PCI Compliance Challenges

 

Home     Copyright & Legal Notice     Privacy Policy     Site Map     Contact Us

Search results delivered by the Troika® system.

Copyright © by Sandhills Publishing Company 2014. All rights reserved.