Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness



Similar documents
Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Global Partner Management Notice

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI DSS Requirements - Security Controls and Processes

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Qualified Integrators and Resellers (QIR) Implementation Statement

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Josiah Wilkinson Internal Security Assessor. Nationwide

A Rackspace White Paper Spring 2010

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Payment Card Industry Self-Assessment Questionnaire

GFI White Paper PCI-DSS compliance and GFI Software products

Becoming PCI Compliant

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Achieving PCI Compliance Using F5 Products

Why Is Compliance with PCI DSS Important?

Achieving PCI-Compliance through Cyberoam

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

General Information. About This Document. MD RES PCI Data Standard November 14, 2007 Page 1 of 19

Payment Card Industry Compliance

Payment Card Industry (PCI) Data Security Standard

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Data Security for the Hospitality

PCI Data Security and Classification Standards Summary

Catapult PCI Compliance

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Credit Card Security

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

HOW TO PROTECT YOUR BUSINESS AND YOUR CUSTOMERS FROM DATA FRAUD

Payment Card Industry Data Security Standard

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Achieving Compliance with the PCI Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Best Practices for PCI DSS V3.0 Network Security Compliance

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Enforcing PCI Data Security Standard Compliance

Franchise Data Compromise Trends and Cardholder. December, 2010

Technical breakout session

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Implementation Guide

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

LogRhythm and PCI Compliance

March

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Network Segmentation

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

74% 96 Action Items. Compliance

Introduction. PCI DSS Overview

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PCI Data Security Standards (DSS)

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SonicWALL PCI 1.1 Implementation Guide

Frequently Asked Questions

Policies and Procedures

MITIGATING LARGE MERCHANT DATA BREACHES

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

paypoint implementation guide

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Miami University. Payment Card Data Security Policy

PCI Compliance. Top 10 Questions & Answers

Network Security Policy

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

Did you know your security solution can help with PCI compliance too?

Payment Card Industry Data Security Standard

PCI v2.0 Compliance for Wireless LAN

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Technology Innovation Programme

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Your Compliance Classification Level and What it Means

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Introduction to PCI DSS

SonicWALL PCI 1.1 Self-Assessment Questionnaire

Transcription:

CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA is committed to helping payment system participants better understand their responsibility to secure cardholder data. As part of this commitment, Visa has identified three areas of vulnerability within a point of sale (POS) environment and developed strategies to mitigate the risk of a data compromise. Improperly Installed and Maintained Point of Sale Systems Increase Risk of Compromise The point of sale (POS) environment has evolved from simple cash registers and dial-up terminals to highly-flexible and multifunctional systems. These newer systems have also created greater technical complexity at the merchant storefront. Merchants now commonly use a highspeed connection with client POS terminals connected to a central backend server (the Host). This sophisticated architecture mirrors the client-server architecture of most Internet-based systems and warrants equally stringent security measures. The availability of always on high-speed connectivity brings a new level of efficiency to the payments industry as systems maintenance and troubleshooting can now be performed remotely. However, such capabilities introduce vulnerabilities to the POS environment if not properly secured. For example, if an intruder breaches the outside boundary of a merchant s POS network, both the Host system and the individual terminals can be compromised and lead to a loss of cardholder data. To minimize the threat of compromise, it is critical for merchants to ensure their POS systems are properly configured and not susceptible to common vulnerabilities. A member must ensure its merchants adhere to the Payment Card Industry Data Security Standard (PCI DSS) anywhere cardholder data is stored, processed or transmitted including the POS environment. Below is a general overview of the top three areas of POS system vulnerabilities known to Visa along with basic mitigation strategies. Additionally, Appendix A Controls to Address Common POS System Vulnerabilities, is attached for use by technical staff as a more detailed explanation of the problems along with suggested mitigation strategies to address these vulnerabilities. While Visa believes that these recommendations will effectively mitigate risk of compromise in POS environments, there are many factors that affect vulnerability and the recommendations here may not be appropriate or sufficient depending on the specific features of POS systems and the business environments in which they are implemented. In any event, Visa disclaims all

responsibility for the effectiveness, any compromises or other consequences of these recommendations. Top Three Areas of POS System Vulnerabilities 1. Remote Access Security Many POS solution vendors, resellers and integrators have introduced remote access management products into the merchant environments they support. A wide variety of remote access solutions exists, ranging from command-line based (e.g., SSH, Telnet) to visually-driven packages (e.g., pcanywhere, VNC, MS Remote Desktop). Remote management products come with an inherent level of risk that may create a virtual back door and therefore must be installed in a manner that complies with PCI DSS. Risk Impact: The exploitation of improperly configured and un-patched remote management software tools is the method of attack most frequently used by hackers against POS payment systems. An improperly configured system can be vulnerable in the following ways: Failure to regularly update or patch systems can render the system vulnerable to exploits that defeat the security mechanisms built into the product. Lack of encryption or weak encryption algorithms can lead to the disclosure of access credentials. Use of default passwords can provide easy access to unauthorized individuals. Disabled logging mechanisms eliminate insight into system access activity and signs of intrusion. All of these examples can ultimately lead to a compromised system and greatly increase the risk of data theft. Risk Mitigation Strategy To ensure systems are safely configured, merchants should consult their payment application(s) vendors, resellers and integrators to ask the following questions: What type of remote management software is utilized, if any? Who has access to the remote management software and is access necessary? How is the remote management software installed and configured? Is the software using default settings? (If so, the settings must be changed immediately.) What is the password management policy? Are strong passwords used? Strong password requirements are outlined in the PCI DSS. What policies and procedures exist to keep security patches updated on a regular basis? What is the current encryption and logging configuration? What other safeguards can be deployed to secure my system? Environments that use remote access features must be compliant with the PCI DSS in all of the above areas. For more information on how to secure remote access software please refer to Appendix A, Section 1.

2. Host Security Most POS environments consolidate payment system traffic into one central repository that provides authorization functionality as well as data backup and various management functions. This system is commonly referred to as the Host and is generally the most valuable target for an attacker because of the information that is stored within or transmitted through this device. Risk Impact: A successful intrusion into a merchant s network infrastructure or unrestricted physical access can provide direct access to the Host. If an attacker compromises the Host, sensitive paymentrelated data can be extracted from the POS environment. By eliminating the storage of valuable information a merchant can limit the extent of any possible compromise. Among the other serious consequences of unauthorized access to the Host could be the destruction of the data stored on the system or the system itself. Both scenarios would significantly disrupt a merchant s ability to conduct business and would likely result in a costly and time consuming remediation effort. Security of the Host is paramount in safeguarding sensitive data and the merchant s ability to conduct business. Risk Mitigation Strategy To minimize the threat of compromise, it is crucial that merchants only use a payment application that has been validated as compliant with the Visa Payment Application Best Practices (PABP). PABP was created by Visa to help members and merchants comply with the PCI DSS by establishing minimum security standards for payment applications. A list of PABPcompliant payment applications can be found at www.visa.com/cisp. PABP-compliant payment applications do not retain full magnetic stripe data and facilitate compliance with the PCI DSS. In addition, a merchant must also ensure its Host software does not store any prohibited data elements such as full magnetic stripe data, PINs or PIN blocks that may have been logged prior to the deployment of a PABP-compliant POS application. Further, the Host system should have the following characteristics: The Host must be dedicated solely to processing transaction data only. All user management controls must be compliant with the PCI DSS. The Host must be configured in accordance with the PCI standards governing patch management, password management and security configuration. The Host must be physically protected in a secured area, accessible to authorized personnel only and all access should be logged and monitored. The Host must only accept requests from known sources based on rules governing access requests, which are reviewed on a regular basis. Access requests should be logged to identify unusual activity and to assist in scoping the extent of possible exposure in the event of a compromise. A merchant should consult its payment application(s) vendor, reseller or integrator to ask the following questions: Does the product store prohibited data elements, such as full magnetic stripe data, PINs or PIN blocks? Are the product and the version in use PABP-compliant? Has all previously stored, prohibited data been properly removed from the system(s)?

For additional information on securing Host environments please refer to Appendix A, Section 2. 3. Network Security Securing the network and monitoring network traffic for signs of unauthorized access is the foundation of a secure environment. Many POS environments are beginning to utilize wired or wireless networks to manage both POS and inventory control systems. Adequate security controls must be implemented to ensure the network is properly configured and a basic level of activity logging must be maintained in accordance with the PCI DSS. Risk Impact Often, merchants that experience a data breach are found to have network devices deployed within their environments with default access credentials. Many wireless devices, such as routers, come configured from vendors with default IDs and passwords. Failing to change the default credentials often results in an intrusion default credentials are freely available on the Internet and are commonly misused to access private networks. With such credentials, much of the effort required to locate vulnerabilities can be automated by criminals and attacks can occur soon after system deployment. The security of a wireless network can also be compromised by failing to fully encrypt network traffic or by using a weak encryption algorithm. Considering that the signal range of the wireless network is not restricted by facility boundaries, such as walls, it is not necessary for an attacker to physically enter the facility to gain access to a merchant system. Improperly configured wireless networks present a significant risk to merchants, as an attacker may attempt to gain access from an inconspicuous location such as a vehicle parked within the range of the wireless network. Encrypted data collected while within the range of the wireless signal can be used to compromise weak encryption algorithms. Once the encryption key is compromised the data within the merchant network is subject to compromise. Wired networks are also vulnerable to attack if not properly secured. Many network vulnerabilities can be exploited through the Internet or via physical access to the merchant s systems. For example, a device can be attached to an open network port and used to collect data from the network as it travels between the Host and the individual POS terminals. This device can be later removed from the facility along with any cardholder data that was collected. While this method requires physical access to the facility, employee collusion should not be underestimated and proper access controls should be placed around a wired network as well. Risk Mitigations Strategy Merchant environments that store, process or transmit cardholder data must be secured in accordance with the PCI DSS. Specifically, the network should have the following characteristics: Access to the network should be limited to specific known devices. Direct Internet access to the POS system should not exist. This can be implemented using a firewall device separating the Internet and the POS system. Any unauthorized devices attempting to connect to the network should be rejected and the action should be logged. All default passwords and IDs should be changed on all network management devices. Systems involved in the storage, processing or transmission of cardholder data should be

isolated to minimize the damage caused by unauthorized access into the network environment. Proper network segmentation requires a clear separation of payment processing devices from all other systems (such as systems used for Internet browsing and e-mail). Separation is the key to limiting the extent of a compromise that may originate in another segment of the network. Any wireless network must be segmented from the wired network where the POS system resides. The strongest possible level of encryption must be enabled on any wireless network. Wi-Fi Protected Access (WPA) encryption should be used over Wired Equivalent Privacy (WEP) encryption wherever WPA is supported. In a wireless environment, the SSID broadcast function should be disabled. Unnecessary wired network ports should be either disconnected or routinely monitored for any unfamiliar devices connected. For more detailed information on how to properly secure a network environment, please refer to Appendix A, Section 3. Attachment Appendix A Controls to Address Common POS System Vulnerabilities. For more information on Visa s Cardholder Information Security Program, please visit http://www.visa.com/cisp. Questions about this bulletin may be directed to CISP@Visa.com.

Appendix A Controls to Address Common POS System Vulnerabilities SECTION 1 Remote Access Security Many POS solution providers have introduced remote management products into the environments deployed within the merchant community. A wide variety of products providing this functionality exists, ranging from command-line based (SSH, Telnet, etc.) to visually-driven products (pcanywhere, RealVNC, MS Remote Desktop, etc). These products must be configured in a manner that complies with the PCI Data Security Standard. Without proper security features, remote management products could expose data on individual PCs and the merchant network to unauthorized use, potentially disclosing cardholder information and other financial information. Merchants using remote management products or services should adhere to the following guidelines in combination with the PCI DSS requirements: Upgrade to the latest version of the remote management product or service and ensure that the latest security patches are applied prior to full deployment. If the remote connection is via dial-up, configure the modem/software to provide dial-back functionality, where applicable. This will ensure that only specified phone numbers are allowed to dial into the remote system. Enable blocking of remote PC IP addresses after a pre-defined number of failed logins. Consult remote management system documentation to learn if the product supports this feature and how to enable it. Merchants should prevent users from reconnecting to the Host from the remote system after an abnormal session, if applicable to the remote management product used. If available, merchants should enable any available features that prompt the Host operator to confirm all incoming connections. When this feature is enabled, Host users are aware of any remote connection being established and can accept or reject any such request. To protect data transmissions between the Host and a remote PC, merchants must enable data encryption within their remote management system. Merchants must utilize strong passwords for all types of system access. The details of what constitutes a strong password are documented in PCI DSS requirement 8.5.11.

Merchants must enable logging built into remote management products, operating systems, firewalls, and any other devices which support logging. Audit logs are valuable not only in the event of suspected unauthorized activity but also for on-going monitoring of traffic patterns within your network. Logs play an integral role in identifying illegitimate network traffic as well as scoping the extent of a possible compromise. Establish policies and procedures for controlling access to any remote management functionality. Remote management products must be properly patched, should be configured to only allow access from specific locations, and user management must reflect current industry standards documented in the PCI DSS requirements. Visa recommends that merchants always consult with the product manufacturer s web site or technical support for ways to secure their remote management system. SECTION 2 Host Security Most POS environments consolidate all of the payment system traffic into one central repository that provides authorization functionality as well as data backup. This system is commonly referred to as the Host. The Host must be configured in accordance with the PCI DSS standard regarding patch management, password management and security configurations. If an attacker is successful in gaining either remote or physical access to the Host, data stored within or passing through the system is at risk of being extracted and transferred out of the POS system. This presents a significant risk if full magnetic stripe data is stored on the compromised system. Retention of full magnetic stripe data is an egregious violation of the Visa U.S.A. Operating Regulations and acquirers must ensure that their merchants remove full magnetic stripe data from any systems where present. To avoid storage of full magnetic stripe data, merchants should work with POS endors/resellers to ensure they are using a PABP-compliant payment application. For more information on PABP, go to www.visa.com/cisp. Account numbers, expiration dates, cardholder names may be stored where business needs exist; however, account numbers must be rendered unreadable as outlined in PCI DSS requirement number three. Following are Host security guidelines that merchants should follow in combination with the PCI DSS requirements: All ports and services not needed for business functions must be disabled. Hackers commonly exploit vulnerabilities related to unnecessary services and this can result in unauthorized access being granted to the merchant network. For example, a merchant not utilizing the web server functionality built into most operating systems must disable this service. Additionally, the corresponding network port (80) must be blocked on the firewall(s) protecting the system. Default passwords must never be used and passwords must be changed every 90 days. This includes the following: Operating system POS application Dial-up access Remote management products, such as pcanywhere and RealVNC

ALL USERS must have a unique ID and password to access the POS system. The password must comply with PCI DSS requirement 8.5.11. POS system must only be used for credit card data processing. Merchants must not use the POS system for other activities, such as web browsing or e-mail. Ensure that POS systems and PCs used for remote access have the latest security patches, anti-virus engines and signature files. Merchants must ensure a software-based firewall is installed on PCs used for remote access to the Host. Merchants must enable access logging on the system, the remote management software, the software firewall and the POS application. If running a database server (such as SQL Server or MySQL), protect the Administrator account by issuing a strong password and remove unnecessary stored procedures on the system. Server naming convention should be meaningless and should obfuscate the nature of the merchant s business as well as the business function of the server. Ensure the operating system is NOT set to automatically log in a user and has a passwordprotected screensaver. Merchants must ensure that cardholder data is not being retained on the system and securely destroy any data that may have been stored previously. Visa recommends that merchants always consult with the product manufacturer s web site or technical support for ways to secure their POS application(s), software firewalls, and operating systems. Physical Host Security Merchants must ensure that physical access to the Host system is restricted to authorized personnel only. Policies and procedures should be implemented to document physical access to the Host system. Following are physical Host security guidelines that merchants should follow in combination with the PCI DSS requirements: Host must be located in a secured room. Merchants must implement a log when accessing the Host. The log should include the user s name, reason for accessing the Host system, login time, and logout time. Users must log into the Host system with their own credentials and must log off at the end of their user session. Login credentials must never be shared among authorized personnel. A password-protected screen saver should be enabled on the Host. SECTION 3 Network Security The network is the primary means by which information is distributed and shared. Consequently, the network is often a key target for security breaches and is the main vehicle for transmission of malicious code between Hosts. One of the most common issues Visa has observed in compromise situations is the failure of merchants to properly segment their

networks. In some cases, firewalls have failed to protect the external perimeter due to the lack of timely patching or failure to change the default credentials. Following are general network guidelines that merchants should follow in combination with the PCI DSS requirements: Firewalls must be installed and maintained at all times. A hardware, stateful firewall is required. Stateful firewalls keep track of the state of network connection and only packets matching a known connection state are permitted by the firewall. Firewall logs must be enabled to hold at least 12 months of information (a minimum of three months must be readily available, the remainder may be archived) and must be reviewed periodically. Firewall rules must be reviewed to ensure unnecessary ports/services are disabled. This applies to both inbound and outbound connections. Segmentation of the POS environment from other non-critical system must be implemented. Segmentation advantages include, but not limited to: Increased network performance Effective bandwidth utilization Physical separation of network traffic of different security levels. Disabling or limiting the firewall functionality must not be allowed. Any firewall must be configured to alert/page an appropriate contact in the event that it becomes disabled. Merchants must have documented change control procedures, which include modification to the firewall rules. Visa recommends that merchants always consult with the product manufacturer s web site or technical support for ways to secure their firewall solutions.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information