From Visa's Risk Management: For: IT, Information Security, IT Support
Visa has recently noticed an increase in malicious remote access activity associated with unauthorized access to merchant point-of-sale environments and ultimately, payment card data. Many remote access solutions are to provide remote management and technical support for retailers. Used maliciously, they can expose payment card data and other sensitive information to cybercriminals to log in, establish additonal “back doors” by installing malware and steal payment card data. The risk of data compromise substantially increases when remote access applications are not PCI DSS compliant.
Examples of common remote access vulnerabilities that can enable intruders to gain access to merchant POS environments. NOTE: most are also violations of the PCI DSS.
- Remote access ports and services always available on the Internet.
- Outdated or un-patched applications and systems.
- Use of default passwords or no password.
- Use of common usernames and passwords.
- Single-factor authentication.
- Improperly configured firewalls.
The attacks take place by successfully logging in to remote access applications with common username/password combinations. Once inside the network an intruder will typically take steps to disable anti-virus applications and establish additonal “back door” connectivity through the installation of malicious sofware. On systems where payment card data processed, card-capturing malware is often installed and used to collect full track data from the POS system. Finally, card data is removed to remote IP addresses.
We are urging you to share this information with your colleagues in the IT departments.
Not sure what option is best for your business? Take a look at this article that hashes out the good and bad with phone systems.
Take a look at the picture Visa released on how to understand the EMV Chip Cards.
An investigation is taking place regarding a credit card breach at GoodWill locations nationwide. They first noticed the possible incident on Friday July, 18th with the activity similar to other data breaches that have taken place like Michaels, Target and Neiman Marcus.
With all these security breaches taking place it seems the change to EMV cards can’t come soon enough. The deadline is coming on October 1, 2015 and as Visa’s announcement states, “Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, the ability for counterfeit fraud may shift to the merchant’s acquirer.”
EMV-enabled cards rely on an embedded chip and PIN number instead of the traditional magnetic stripe and signature that the U.S uses today. This strategy reduces the vulnerability of cardholder data when making purchases, preventing ‘skimming’ or copying card data embedded in a card’s magstripe. EMV cards and terminals have already been adopted in other parts of the world and have helped to reduce fraud, chargebacks, and card counterfeits.