Visa alerts restaurants to lax POS installation
mitigation strategy
- Does my POS software store, or track, magnetic stripe data or PIN blocks? (If so, this is prohibited and must be immediately corrected.)
- Does my network have a properly configured firewall installed to protect my POS system from unauthorized access?
- Are complex and unique passwords required to access my system? Can you confirm you don't use a common or default password across other merchant systems you support?
- Does my POS system enable you to have remote access for support or maintenance? (If so, merchants must ensure appropriate controls are implemented to prevent unauthorized access.)
- Is the POS system configured so that access to critical functions may be restricted?
- Is the POS system for payment card processing used for other functions? (If so, the POS system must be segregated from other functions, such as Web browsing and e-mailing.)
- Is the operating system hosting the POS software patched with the applicable security updates in a timely manner?
- Has my POS software version been validated as compliant with the Visa Payment Application Best Practices (PABP)? ( A list of PABP-compliant applications is available on www.visa.com)
Source: Visa U.S.A.
spike in data security compromises at restaurants due to improper POS installation prompted Visa U.S.A. to issue a data security alert in July. The card Association also issued a reminder of ways merchants can protect themselves against lapses.
The alert came eight days after the Department of Justice announced the arrest of most of the participants in a debit card theft ring operating in three restaurants in Los Angeles. That ring allegedly used "skimmers" to obtain account data on upward of 100 patrons.
Yet Visa's alert emphasized the proper installation and use of POS equipment and systems. "We've observed over the last several months a number of small to medium-sized restaurants that have had compromises for a variety of factors linked to ... [reliance] on third-party firms to implement POS systems," said Martin Elliott, Visa's Vice President for Emerging Risk.
FBI Special Agent Julia Jolie, who tracks cyber crime and identity theft, said she was not aware of any recent cases concerning restaurant POS system breaches.
Integrators, resellers and other third-party installers vary in their ability to properly configure common security controls and may leave behind vulnerable POS systems, Visa reported.
The card Association has received reports from merchants and "the market" in recent months about such problems at restaurants nationwide, Elliott said.
"Recognizing that you hire someone to implement precautions doesn't mean all the things you expect to happen [will] happen," he said.
Elliott firmly believes it is a "shared responsibility" among payments-application developers; resellers/integrators, who should make sure their POS systems don't store data; and merchants, who should ask vendors when their systems will make the Visa Payment Application Best Practices list of compliant applications, if they haven't already.
Elliott said system vulnerability may lead to two types of data compromise: internal, such as employees with inappropriate access to credit card data, or security holes that leave open back doors for hackers to exploit.
In the latter, a third-party installer may fail to install a firewall or to segregate an Internet-based POS system from other Internet applications on the same computer.
"If your waiters log on to the Internet to surf the Web and you don't have segregation, you may have employees downloading Trojans and viruses that may be used to compromise your system," Elliott said.
Merchants should ask their processors or ISOs if they use a default password with all their restaurant merchants, because the common password could leave their systems open to intruders from other restaurants, known as a one-to-many attack, he said.
"If there is one theme that is most helpful to the merchant and ISO community, it is to make sure your payment applications are not inadvertently storing track data," Elliott said. "Your employees with access may find that data, download it and away they go. If I'm an ISO, I may want to drop in and say, 'Let's make sure your system isn't storing that data.'"
