Return to the First National Merchant Solutions Home Page Help: What type of browser should I use?
PCI &
Compliance

Data Security Alerts

Check the Visa and MasterCard merchant sites for more information on the Rules and Regulations regarding card acceptance.

First National Merchant Solutions received information from the Visa Cardholder Information Security Program (CISP) of potential vulnerabilities relating to data security. Visa issues these security alerts when vulnerabilities in the market relating to securing cardholder data are detected.

Improperly Segmented Network Environment

Payment card account information has been compromised at merchant locations that lack proper network segmentation. This attack method originates on the Internet, results in penetration of the merchant’s Point of Sale (“POS”) system and often results in costly remediation efforts and increased fraud attacks. Such compromises can often be prevented if the merchant networks are properly segmented so that intruders are limited to non-sensitive parts of the POS network that do not contain payment card information. Network segmentation is a concept that refers to the practice of splitting a network into functional segments and implementing an access control mechanism between each of the boundaries. The most common example of network segmentation is the separation between the Internet and an internal network using a firewall/router.

Merchants are reminded that when e-mail and web browsing are introduced to their networks, a potential avenue of attack can be opened. A malicious e-mail attachment or a malicious web page can introduce viruses, spyware and malware into an internal network. Once such harmful software is within the boundaries of your internal “trusted” network, it allows uninhibited access to all devices on the network. This scenario can be abused to gain access from a user system to a business (payment-processing) system and result in data loss.

Recommended Mitigation Strategy

To comply with PCI DSS requirements, adhere to the following recommendations:

  • Separate any user environments from any business systems using a firewall. For example, a system used by employees to receive e-mail should be separated from a system used for transaction processing.
  • Configure the firewall to only allow access between systems participating in the transaction flow. Further limit the allowed host connections to the Wi-Fi access point by specifying individual MAC or IP addresses.
  • Limit access to only network ports that are necessary to perform desired business functions.
  • Access controls should be applied to both directions of network traffic – inbound and outbound.
  • Enable logging and exception alerting on all network devices and business systems, where possible. Log files should be protected from tampering. Logging is an essential tool in analyzing the current state of your network, and can identify and scope potential intrusions.
  • Use a Virtual Private Network (“VPN”) or Secure Sockets Layer (“SSL”) connection between systems processing sensitive data whenever possible. Connections utilizing encryption ensure the confidentiality and integrity of the data by protecting it against eavesdropping.
  • Implement a switched network – switches handle network traffic in a manner more resistant to eavesdropping.

Structured Query Language (SQL) Injection Attacks

SQL injection is a technique used to exploit Web-based applications that use client-supplied data in SQL queries. SQL injection attacks may be the by-product of un-patched Web servers, an improperly designed application, or poorly configured Web servers and database servers. A review of recent data security breaches suggests SQL injection attacks on e-commerce merchants have become more prevalent. The attack method most recently detected targets shopping carts that are not properly patched and are, therefore, susceptible to attack.

Minimize Your Risk

To minimize the possibility of an SQL attack, merchants should take the following actions:

  • Use only a secure shopping cart, preferably validated against Visa’s Payment Application Best Practices (“PABP”). A list of PABP compliant shopping carts is available on http://www.visa.com/cisp.
  • Test susceptibility to SQL injection utilizing automated tools or manual techniques.
  • Merchants that utilize proprietary or custom applications should adopt secure coding practices that include independent code reviews.
  • Use only secure Web servers. Merchants can refer to their vendor’s Web site for instructions on hardening Web servers (See Microsoft's Web site on hardening IIS servers using IIS lockdown tools http://www.microsoft.com/technet/security/tools/locktool.mspx ).
  • Ensure Web servers are routinely updated with the current security patches from their vendors.
  • Purge cardholder data when no longer needed and take steps to ensure CVV2 data is not stored subsequent to authorization of a transaction.

Improperly Installed Point of Sale ("POS") Systems

POS systems that are not properly installed or adequately maintained can contribute to the compromise of cardholder account information and other sensitive data.

Often, merchants use third-party firms known as “integrators” or “resellers” to configure or install POS systems. Because third-party firms may vary in their ability to properly install and configure common security controls, POS systems may be vulnerable to compromise upon installation.
Merchants are urged to begin a dialogue with their vendors to ensure their POS systems are adequately safeguarded from internal and external intrusions.

Recommended Mitigation Strategy

To safeguard their POS systems, merchants should ask their POS vendors (i.e. resellers/ integrators) the following questions.

  1. Does my POS software store magnetic stripe data (e.g., track data) or PIN blocks? If so, this is prohibited and must be immediately corrected.
  2. Does my network have a properly-configured firewall installed to protect my POS system from unauthorized access?
  3. Are complex and unique passwords required to access my system? Can the POS vendor confirm they don’t use a common or default password across other merchant systems they support?
  4. Does my POS system enable the POS vendor to have remote access for support or maintenance? If so, merchants must ensure appropriate controls are implemented to
    prevent unauthorized access.
  5. Is the POS system configured so that access to critical functions may be restricted?
  6. Is the POS system used for payment card processing used for other functions? If so, the POS system must be segregated from other functions. (i.e. Web browsing / e-mailing)
  7. Is the operating system hosting the POS software patched with the applicable security updates in a timely manner?
  8. Has my POS software version been validated as compliant against the Visa Payment Application Best Practices (“PABP”)? A list of PABP compliant applications is available on http://www.visa.com/cisp.

Wireless Security Vulnerabilities

First National Merchant Solutions was notified by the Visa CISP group of potential vulnerabilities relating to Wireless networks and Payment Card Industry (PCI) compliance.

What is wireless?
Wireless enables systems to communicate without having physical connection (network cables). Wireless technologies use radio frequency as the means for transmitting data, whereas wired technologies use cables.

Common wireless attacks

  • Eavesdropping – An attacker can gain access to a wireless network just by “listening” to traffic. Eavesdropping is very easy in the radio environment, as any radio transmission can be freely and easily intercepted by nearby devices or laptops. The sender or intended receiver has no means of knowing if the transmission has been intercepted or not.
  • Trust problems – If your wireless LAN is part of your enterprise network, then a compromise of your wireless LAN may lead to the compromise of your enterprise network. An attacker with a rogue access point can fool a mobile station into authenticating with the rogue access point, thereby gaining access to the mobile station. The only protection against these types of attacks is an efficient authentication mechanism.
  • Denial of Service (DOS) – A DOS attack is an attempt to prevent legitimate users of a service from using that service. Due to the nature of radio transmission, the wireless LANs are vulnerable to Denial of Service attacks and radio interference. Such attacks can be used to disrupt a business’ operations or used to gather additional information to use with another type of attack.
  • Man-in-the-middle – Packet spoofing (fake IP address) and impersonation are also valid threats, whereby traffic is intercepted midstream and then redirected by an unauthorized individual for malicious purposes.

Many manual and automated tools are freely available on the Internet to perform these wireless attacks.

To help prevent your business from becoming a victim of such attacks please review the Wireless Security Checklist below if you are currently using wireless technology.

Wireless Security Checklist Related PCI Data Security Standard Requirements

Network segmentation – The credit card processing environment must be segmented from public networks, including wireless networks. Advantages of network segmentation include, but not limited to:

  • Increase network performance.
  • Effective bandwidth utilization.
  • Physical separation of network traffic with different security requirements.
  • In the event of a network problem, the issue is isolated to the affected subnet.

1.3

Implement strong Access Control (ACLs) router rules – ACLs will help to block traffic on known ports which should not be present on the protected network under any circumstances.

1.3
  • Change default SSIDs (Service Set Identifier) on the wireless access point (AP). Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network.
  • Disable the broadcast SSID feature.
  • Validate that the SSID character string does not reflect the entity’s name or products.

2.1.1

Ensure all wireless default parameters, such as passwords, are changed. Default passwords for popular wireless devices are well-known to hackers and often posted on the Internet.

2.1.1

Disable all insecure and nonessential management protocols on the wireless AP.

2.2.2

Implement a solution to centrally manage wireless networks, including logging and monitoring. A central management solution provides tighter control, increased automation and higher security.

10

Access to the wireless network should be granted based on a client’s identity. There should be a common authentication and authorization system which examines a wireless client’s identity and grants or denies access to the wireless network.

8

Enable two-factor authentication for the management interfaces of the AP and use SSL/TLS for Web-based management of the wireless APs.

2.3 and 8.3

Implement Wi-Fi Protect Access (WPA) or WPA2 to encrypt transmissions. Never rely on WEP, which has well-publicized vulnerabilities. WPA or WPA2 provides a stronger alternative to WEP. The primary difference between WPA and WPA2 is that WPA2 uses a more advanced encryption called AES (Advanced Encryption Standard).
WPA or WPA2 operate strictly between your Wi-Fi device and wireless AP. When data reaches the AP or gateway, the data is unencrypted and unprotected while traversing through a public network or the Internet. So while WPA/WPA2 protects you from external intruders, you must implement VPN technologies or SSL/TLS to protect your transmission from the public network or the Internet.

4.1.1

Physically secure the wireless APs.

9.1.3

Make sure the reset function on the wireless AP is used only when needed and only invoked by authorized individuals.

7.1

Perform periodic wireless scanning to identify rouge or insecure wireless APs.

11.1

Keep security patches on the wireless APs up to date.

6.1

Storage of Magnetic Stripe Data and other Sensitive Information by Merchant Point-of-Sale Systems

Visa is aware of compromises of credit and debit card account information resulting from the improper storage of magnetic stripe data (“track data”) after transaction
authorization is completed. Track data refers to the information encoded in Track 1 and 2 contained within the magnetic stripe on the back of a payment card.
This information is received by a merchant’s point-of-sale (“POS”) system when a payment card is swiped through a terminal. Some merchant POS systems improperly
store this data post authorization in violation of longstanding Visa USA Operating Regulations. Hackers are aware of this vulnerability and are targeting vulnerable POS systems to steal this information. Visa has also observed compromises involving other data elements that are prohibited to store, namely Card Verification Value 2 (“CVV2”), Personal Identification Numbers (“PINs”) and PIN blocks. CVV2 is the 3-digit number typically found on the signature panel on the back of the payment card. A PIN is the secret code consumers use to conduct debit transactions, and PIN blocks are encrypted versions of a PIN.

Merchants may only store specific data elements from the magnetic stripe to support card acceptance. These data elements include: cardholder’s name, primary account number, expiration date, and service code. However, this data should only be stored if needed, and must be protected in accordance with the Payment Card Industry Data Security Standard (“PCI DSS”). Merchants can limit the damage from a compromise by not storing track data, CVV2, PINs, and PIN blocks. Merchants can also decrease their risk by only storing cardholder data if it is needed to perform their business functions. If you don’t need it, don’t store it!
Merchants may mistakenly believe they need to store prohibited elements to process merchandise returns and transaction reversals. Acquirers should ensure their merchants have proper processes for each type of transaction.

Recommended Mitigation Strategy

To safeguard their systems and reduce risk from a compromise, merchants should verify they are not storing prohibited data. Visa offers the following suggestions to verify prohibited data is not stored:

  • Ask your POS or payment software vendor (or reseller / integrator) to confirm your software version does not store magnetic stripe data, CVV2, PINs, or encrypted PIN blocks. If it does, these data elements must be removed immediately.
  • Ask your payment software vendor to share a list of files written by the application, and a summary of the content to verify prohibited data is not stored.
  • Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.
  • Search for and expunge all historical prohibited data elements that may be residing within your payment system infrastructure.
  • Confirm that all cardholder data storage is necessary and appropriate for the transaction type.
  • Verify that your POS software version has been validated as compliant against the Visa Payment Application Best Practices (“PABP”). A list of PABP compliant applications is available on http://www.visa.com/cisp.

Copyright © SPC, Inc. d/b/a First National Merchant Solutions.1620 Dodge St, Omaha, NE 68197.
All rights reserved. View the Patriot Act Notification or our Privacy Policy and Terms & Conditions of Use.


top
Market
Solutions
3rd Party
Solutions
Products
PCI &
Compliance
About
Us
Merchant
Access
Market Solutions 3rd Party Solutions PCI & Compliance
Home | Contact Us | Site Map 
PCI &
Compliance
PCI Data Security Standards
Data Security Alerts
Compliance
Key Indicator = Secured