Clothing store chain Eddie Bauer said it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of January may have been compromised in the breach. George Rice, senior director, payments at HPE Security – Data Security commented below.
George Rice, Senior Director, Payments at HPE Security – Data Security:
“Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Any businesses using POS systems can avoid the impact of these types of advanced attacks. Proven methods, such as Format-Preserving Encryption are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.
The good news is that savvy merchants are implementing Format-Preserving Encryption, giving the malware nothing to steal, which also has a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.