When a merchant is suspected of being the victim of an account data compromise event, they are often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI provides a report on the investigation to the card brands, and if the investigation found evidence of a breach, the report explains how the attack was carried out. The card brands likely receive several hundred PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports. Visa, which issued three alerts in the past year alone regarding memory scraping malware used against retailers, has only issued nine alerts since 2011 (Visa Security Alerts/Bulletins). So, it is advisable that merchants pay attention to these alerts.
Unfortunately, many threat trends are not based on the exploitation of new vulnerabilities. In a 2011 Security Alert, Visa stated that “[i]nsecure remote access continues to be the most frequent attack method used by intruders to gain access to a merchant’s point-of-sale (POS) environment.” MasterCard warned of recent attack trends in 2012 showing that hackers were focusing on smaller merchants with improperly configured remote access systems.
Visa just issued a July 2014 Security Alert titled “Insecure Remote Access and User Credential Management,” which reported Visa’s observation of an increase in malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments and ultimately, payment card data. The Security Alert mentioned several of the remote access solutions that are often used by service providers to provide remote management and support for retailers, including LogMeIn and PCAnywhere. Visa notes that circumstances around multiple merchant compromises in the last several months suggest an actor or group of actors are targeting merchants who share common POS integrators or remote support vendors. Finally, the Security Alert identifies the following security practices to help mitigate security risks:
- Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.
- If remote connectivity is required, enable it only when needed.
- Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.
- Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.
- Plan to migrate away from outdated or unsupported operating systems like Windows XP.
- Enable logging in remote management applications.
- Do not use default or easily-guessed passwords.
- Restrict access to only the service provider and only for established time periods.
- Only use remote access applications that offer strong security controls.
- Always use two-factor authentication for remote access. Two factor authentication can be something you have (a device) as well as something you know (a password).
Merchants should keep in mind that, not only are they are responsible for ensuring that their service providers protect cardholder data in compliance with PCI DSS, they are also responsible for the consequences if their service provider fails to do so (e.g. complying with state breach notification laws and paying fines, fees, and assessments of liability by card brands for operating expense reimbursement and incremental counterfeit fraud). It may be a good decision for a merchant to “outsource” their payment processing to a service provider, but simply having a third party do the processing does not “outsource” a merchant’s liability. Rather, merchants need to include appropriate provisions in the contract with their service provider to impose obligations for securing the payment card data and providing indemnification if they fail to do so.