Investigations by the major card brands have shown that criminal, unauthorized remote access is the leading cause of merchant security breaches.
Intruders typically disable anti-virus applications and establish additional “back door” connectivity through the installation of malware on systems where payment card data is processed. Card-capturing malware is often installed to collect full track data from the POS system. The card data captured can then be sent to remote IP addresses.
What can you do to secure your system?
If the payment application is storing, processing or transmitting cardholder data developers will need to adhere to the PA-DSS guidelines and requirement 10 of the PA-DSS states two-factor authentication for securing remote access to the POS application.
Here are some best practices developers should share with merchants and/or resellers to help them be better prepared
- Use complex passwords and two factor authentications for all access in the payment environment including POS accounts and remote access.
- Limit the number of administrative users.
- Properly store authentication/security tokens and change passwords every 90 days.
- Manage vendor access to POS and card data environment.
- Install and keep anti-virus, anti-spyware and firewalls up to date. Regularly run and review results of scans for malicious software.
- Maintain up-to-date software, operating systems and web browsers.
- Reboot POS systems daily to clear volatile memory, and consider using a secure file wiping utility that can securely clear the contents of the page (swap) file.
Vantiv Integrated Payments is constantly monitoring industry security information to help us maintain our security standards and help better secure POS software appropriately. We suggest that payment applications that enable or use remote access regularly follow the steps to set it up correctly and avoid any chances of a costly data breach.
Have Questions? Contact our compliance team at email@example.com or 1-800-846-4472
Visa, http://usa.visa.com/download/merchants/Visa_Security_Alert_070114.pdf(July 2014).