More often than not, attackers who aim to steal credit card data are targeting small, brick-and-mortar merchants...
and exploiting vulnerable point-of-sale (POS) systems, according to a study recently released by Trustwave.
Trustwave, a Chicago-based Payment Card Industry Data Security Standard (PCI DSS) assessor, looked at 350 payment card compromises in 14 countries between January 2006 and December 2007. The company said the study counters the popular perceptions that using credit cards online is less safe than at a physical store, and that attackers target large merchants for their wealth of data.
Seventy-percent of the compromises occurred at brick-and-mortar merchants, and 92% of the merchants were Level 4, meaning they handle less than 1 million credit card transactions annually. More than half of the compromises Trustwave investigated occurred in the food service industry.
Small stores and restaurants don't have as many resources for security as large merchants and e-commerce shops, and may use POS systems that are improperly configured by a third party, according to Trustwave. In 64% of the breaches, negligence by a third-party such as an integrator may have contributed.
For example, a pizza restaurant might hire a local company to set up a POS system that also provides services like placing orders, said Nicholas Percoco, Trustwave vice president of consulting. Instead of dialing up for credit card authorizations, the device is connected to the Internet. "The people who set up the systems for the restaurant are not savvy about information security and do things like not install a firewall between the Internet and the POS system, or they don't install antivirus," he said.
Another common problem is that the contractor uses an unsecured remote access system to support the merchant's network and POS devices. The systems often use blank, default or easily guessable passwords, Percoco said. In addition, Trustwave has seen many old POS devices that have no traditional security controls and store cardholder data that's prohibited by PCI DSS. It's relatively easy for an attacker to configure a port scanner to look for vulnerable POS devices and break into them, Percoco said.
"We've seen a batch of cases in one city, where the commonality between those merchants is that they all use the same POS system, the same integrator and the same Internet service provider," he said.
Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said he's also seen many payment card breaches involving third parties and misconfigured remote access systems.
"The primary offender has been the point-of-sale vendors themselves, who are often contracted by the merchant to remotely manage and maintain the devices and software they sell to the merchants," he said. "We see default user IDs and passwords, which the bad guys all know."
But Nebel criticized other findings in the Trustwave report. Without saying how many credit card numbers were compromised in the breaches, the analysis is faulty, he said. "We don't know the relative size of the harm. There's no way to understand if the 92% being Level 4 is meaningful."
There's also the issue of self-selecting response, which weakens the study, he added: "The fact they've done 350 investigations and most are Level 4 merchants could be that the Level 4 merchants chose them and the Level 1 merchants didn't."
Gary Palgon, vice president of product management at nuBridges, a supplier of secure connectivity products and a member of the PCI Security Standards Council, said some the study's findings need to be balanced by taking a larger view of the market. Breaches of Level 4 merchants are on a small scale compared to the compromise of a larger merchant like the Hannaford Bros. Co. supermarket chain, in which thieves stole 4.2 million payment card numbers, he said.
The new Payment Application Data Security Standard (PA-DSS), released April 15 by the PCI Security Standards Council, will help ensure the security of POS devices, Palgon and others said.
Based largely on Visa's Payment Application Best Practices (PABP) program and supported by the five major payment card brands, the standard provides a global set of security requirements for payment applications such as POS systems. It will ensure payment applications don't store sensitive card data and aren't rife with flaws, PCI officials have said. Visa previously issued a July 2010 deadline for banks to ensure their merchants use only PABP-compliant applications.
Michael Petitti, Trustwave's chief marketing officer, said Level 4 merchants may number around 6.5 million in the U.S. "They're small, probably card-present environments reliant on a third party to configure those environments. So there are many moving parts that need to be addressed, which requires a lot of education and awareness that the industry is just getting around to."