Deeper Layers of Protection Needed for POS Systems

Retailers need deeper layers of protection. Retailers can gain better protection from advanced malware in their POS systems through a layered security approach that goes beyond traditional firewall and anti-virus protections.

In November 2013, the PCI Security Standards Council (PCI SSC) has published version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) for debit and credit card security, developed to move organizations from compliance to more comprehensive and proactive security approaches.

Version 3.0 of PCI DSS became effective January 1, 2014, and businesses will have one year to apply it. Some of the changes are future dated requirements that are best practices until July 1, 2015.
https://www.pcisecuritystandards.org/security_standards/documents.php

Will these new requirements help prevent malware attacks such as the recent ones linked to BlackPOS against giant retailers Target and Neiman Marcus?  Recently marketing sat down with the CEO of Wontok, Adam Tegg and asked his opinion.

RESPONSE: According to Adam, “We are seeing reports of a growing prevalence of POS malware being sold on the underground, making it increasingly available to cyber criminals.  Some of these that have been written about include not only BlackPOS, but Dexter, vSkimmer and a few others. This leads experts to believe that the number of attacks will increase.  And this means that merchants need new approaches to this growing problem.”

Why isn’t traditional AV working?

RESPONSE: Adam pointed out, “Traditional AV has been documented to be less than 40% effective in against financial malware, and much less in the face of advanced malware. In this scenario, there was a zero detection rate against BlackPOS which means that even fully updated anti-virus engines on fully patched computers could not identify this malware.  At Wontok, that’s why we developed an approach that works below the traditional layer where AV works. A deep layer approach like Wontok SafeCentral can operate in layers where malware can’t and be more effective at blocking it from access to sensitive transactions.”

Next, we discussed the new requirements that have been added in PCI DSS.  New requirements in PCI DSS appear in Req. 5:

Req. 5.1.2 – evaluate evolving malware threats for any systems not considered to be commonly affected. The addendum complements the preexisting Requirement 5.1, which compels organizations to use up-to-date anti-virus programs to protect systems “commonly affected by malicious software.”

I asked Adam: Why put it upon the merchant to monitor newsgroups and virus bulletins and security notices to figure out what the newest malware threats are?

RESPONSE: Adam answered, “We see this quite often in the financial services sector. Banks don’t have the time to become malware tracking specialists. Neither do retailers. That’s why we designed Wontok SafeCentral to work deeper than typical anti-virus and be able to stay ahead of the latest malware threats. The also eliminates the need for sending out constant software updates. Retailers can use a similar deep layered approach to protect and lock down their transactions and still be compliant.”

Food for thought.  Fraud experts are predicting a growing trend of more breaches linked to malware, such as BlackPOS, to take aim at the retail and hospitality industries and this means time for retailers and merchants look at new approaches to these threats and to arm themselves with advanced security solutions that comply with PCI DSS and go beyond today’s solutions to protect their transactions.