IT Compliance | Solidcore Blog

Easing PCI Compliance and Security on Retail POS Systems

Mon, 18 Aug 2008 23:12:32 -0400

Runtime Control solution more optimized for POS systems than whitelisting, intrustion prevention and anti-virus

To ease the pain of PCI compliance and security on retail point of service (POS) systems, Solidcore today released POS Check and Control. The product is based on Solidcore’s “runtime control” technology that solves the rigors of POS security, malware protection and Payment Card Industry Data Security Standard (PCI DSS) compliance with minimal system and operational overhead.

Solidcore is already an established leader for securing POS systems and is deployed on nearly 100,000 POS systems worldwide. Unlike application whitelisting, host intrusion prevention systems (HIPS) and anti-virus, Solidcore provides runtime control capabilities that deliver comprehensive security with low overhead. Runtime control ensures only pre-authorized software and code can run on POS systems while securely allowing software updates from trusted sources, such as those generated by retail coupon engines. Solidcore’s runtime control also prevents disk tampering, and provides advanced memory protection to authorized software to defend against buffer overflow vulnerability attacks and zero-day exploits.

According to Gartner's John Pescatore, “Financially motivated, targeted attacks are definitely focusing on POS systems. As with all business-critical systems, merchants must ensure they start with secure POS software and configurations, and then implement and enforce strong change control and vulnerability management processes to make sure that only authorized updates are allowed.”

Tony Thompson
tthompson@solidcore.com

Credit Card Theft Blame Game

Thu, 10 Jul 2008 20:58:19 -0400

Cardtronics owned 7-Eleven ATMs uncover a new blame game for who is responsible for credit card thefts

The 7-Eleven/Citibank ATM breach points out the complexity of field deployed self-service kiosks and ATMS. They may be convenient but transactions take a very different path versus a bank-based ATM on the outside of their branch, securely connected on the corporate network.

Using networking lingo, how many "hops" does it take to get a single transaction processed from the remote ATM?

My hypothesis is the following steps:

1- Local processing at the ATM itself

2- Network transport provided by regional and local players to give connectivity

3- Transaction processing of several remote ATMs to aggregate back-end servers within 7-Eleven or Cardtronics "vcom"

4- Connectivity to the third party payment acquirer contracted by 7-Eleven or Cardtronics to provide settlement services

5- Payment Acquirer connectivity and settlement services with Citibank

This is a good example of semi-trusted cooperative networking at its best. The Payment Card Industry Data Security Standard (PCI DSS) expects that compliance is upheld with all those that touch a payment network. However compliance takes people, process and technology, and it is only a baseline for security. The PCI core strategy is know who is accessing the network and log activity, and to monitor for exceptions. When you outsource or trust a service provider, then who is to blame? With all of the hops listed above, can you believe that a single piece of malware went unoticed at some point in this scenario?

Trust and Faith in partners and suppliers is appropriate. But I also like Control and Prevention. Like many of our current customers, they know that Preventing and Detecting Change is important, that's why Solidcore is used today in over 60,000 ATMs worldwide!

Kim Singletary
Director of Embedded Solutions
ksingletary@solidcore.com

Tomatoes and Security

Tue, 08 Jul 2008 17:31:22 -0400

Similarities between the recent tomato incident and POS security

As I cooked this weekend, I reached into my refrigerator for some tomatoes. These were not home grown but store bought, and I had just finished reading a New York Times article about the potential for salmonella. I inspected the red round fruit and found them to be in perfect shape, with no bruises, cuts or punctures. I also washed them thoroughly and felt I could safely eat them. While it's great that we are able to monitor and track these types situations, but why can't there be better protection from them?

From the NY Times article: "No one knows whether food has gotten more dangerous or whether the growing number of outbreaks results from better surveillance, said Dr. Patricia Griffin, the chief of the disease centers’ enteric disease epidemiology branch. Both may be true, Dr. Griffin said."

The Payment Card Industry Data Security Standard (PCI DSS) is all about tracking and monitoring changes in the environment of payment card systems. However, l see many similarities from the tomato incident that also apply to point-of-sale (POS) security. Tracking and monitoring help to triage a situation, but its not security. Some lessons learned that apply to both situations:

Know what's running on your system. Put it under a microscope and identify only the applications necessary for the POS system - all others should be consider potential harmful. Many threats hide themselves almost invisibly within the system files, very much like the bacteria on the infected tomatoes.
Don't rely on others for critical functions. Don't assume the vendors, distributors or suppliers have deployed sanitized systems for your POS processing, but verify it for yourself. It may be packaged for convenience but always apply a second cleansing to ensure safety.
Deploy technology that provides true protection - not just tracking and monitoring. PCI DSS is a guide for providing a baseline for operating practices, it is not a security method. Look for technology that goes beyond the PCI requirements and provides protection from future threats. My recommendation for POS security is Solidcore's S3 Control Embedded for lock-down. My recommendation for tomatoes is a portable UV Disinfector Home Scanner & Sterilizer.

Eat well!

Kim Singletary
Director of Embedded Solutions
ksingletary@solidcore.com

IT Compliance | Solidcore Blog

Easing PCI Compliance and Security on Retail POS Systems

See Also

Credit Card Theft Blame Game

See Also

Tomatoes and Security

See Also