Visa® Tips on Preventing Retail Breaches
Retail merchant system breaches are on the increase. Once inside a merchant's network, hackers can install memory-parsing malware on Microsoft Windows-based cash registers or servers. The malware is designed to steal unencrypted magnetic stripe data from the system's random-access memory (RAM).
To combat memory-parsing malware, also known as RAM-scraping malware or point-of-sale (POS) malware, Visa' recommends the prevention strategies outlined below. Visa also cautions merchants to perform sufficient due diligence to avoid blocking legitimate access.
Preventing Malware Attacks
Visa recommends a multilayer prevention approach that includes managing network security, cash register and PDS security, administrative access, incident response and third-party vendors. Used together, these measures can help to minimize the possibility of an attack and mitigate the risk of a card data compromise.
Please work with your information technology (IT) team to implement these recommended security practices:
- Review your firewall configuration and ensure only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical on outbound (or egress) firewall rules, where compromised entities allow ports to communicate to any IP on the Internet. Hackers will leverage this misconfiguration to send data to their own IP address.
- Segregate the payment processing network from other non-payment processing networks.
- Apply access controls lists (ACLs) on the router configuration to limit unauthorized traffic to the payment processing networks.
- Create strict ACLs, segmenting public-facing systems and backend database systems that house payment card data.
- Review systems that have direct connectivity or access to the payment processing environment and ensure the systems are secure.
Cash Register and POS Security
- Install Payment Application (PA) Data Security Standard (DSS)-compliant payment applications and ensure applications are installed in a Payment Card Industry (PCI) DSS-compliant manner. Merchants should also review their payment application to ensure it is not configured in a debug or troubleshooting mode. This type of configuration can result in storage of clear-text cardholder data.
- Perform periodic scans on systems to identify storage of cardholder data and securely delete the data.
- Deploy the latest version of the operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion detection system.
- Assign strong passwords to your security solution to prevent application modification.
- Perform a binary or checksum comparison to ensure unauthorized files are not installed on systems. Merchants should consider implementing application whitelisting to help prevent malicious software and other unapproved programs from running.
- Deny remote desktop protocol logins whenever possible
- Ensure any automatic updates from third parties are validated. This means performing a checksum on the updates prior to deploying them on the POS systems. Merchants should work with their POS vendors to obtain signatures/hash values in order to perform this checksum validation.
- Disable unnecessary ports and services, null sessions, default users and guests.
- Enable logging of events and confirm you have a process to monitor logs on a daily basis.
- Implement "least privileges" and ACLs on users and applications on the system.
Limit Administrative Access
- Use two-factor authentication when accessing the payment processing networks. Even if a virtual private network (VPN) is used, it is important to implement two-factor authentication. This will help to mitigate key logger or credential dumping attacks.
- Limit administrative privileges on users and applications.
- Periodically review systems (local and domain controllers) for unknown and dormant users.
- Do not use Windows NT LAN Manager or LAN Manager hash for password hashing, as the algorithm is known to be compromised and susceptible to pass-the-hash attacks. Visa recommends implementing salted one-way password hashing.
- Deploy security information and event management (SIEM). A SIEM is a system that serves as a central point for managing and analyzing events from network devices. A SIEM has the responsibility to:
- Aggregate events and logs from network devices and applications
- Use intelligence to analyze and uncover malicious behavior on the network
- Since hackers use anti-forensic techniques to avoid detection, Visa recommends offloading logs to a dedicated server in a secure location to prevent unauthorized users from tampering with the logs.
- Invest in a dedicated incident response team. The response team should have the knowledge, training and certification to respond to a breach.
- Test and document your incident response plan to identify and remediate any gaps in the process prior to an actual event. The plan should be tested and updated periodically to address emerging threats.
- Avoid providing unrestricted access or remote maintenance capability to third-party vendors, specifically to your production environment.
- Establish a vendor demilitarized zone, sometimes referred to as a perimeter network.
- Ensure adequate review of third-party vendors' security practices if they will handle sensitive data on your behalf.
- Obtain information about the vendor's partner operations to understand how they may impact your business.
Reporting a Data Breach
To report a data breach, email Visa fraud control at [email protected].
Glossary of Security Terms
- Checksum — A way to ensure your files or programs have not been changed.
- Whitelisting — Allowing only specific programs to run on your system.
- Least privilege — Giving applications or services the absolute minimum permissions required to accomplish a task.
- NT LAN Manager and LAN Manager hashing — An older method for transferring and storing hidden passwords on a system, which is no longer supported or considered secure.
- Salted one-way hash — A newer method for transferring and storing passwords, which is considered secure.
Information provided via VISA and Shazam.
This information is offered up for general guidance and is not intended as, nor should it be construed as legal, financial or other professional advice. Please consult with your attorney or financial advisor to discuss any legal or financial issues on this topic.