There’s a moment in every POS transaction when data collected from payment cards is at its most vulnerable. It’s the moment when the cardholder’s name, card number, expiration date and security code sits unencrypted in the POS system’s memory. If malware is present in the POS system, it can capture and transmit the cardholder information to a cybercriminal somewhere.
This can happen again and again until the malware is detected. By then, the data of thousands of cardholders may have become compromised – and a whole new batch of potential identity theft victims has been created.
This method of stealing data from memory systems is called “RAM scraping,” and is believed to have been employed in headline-grabbing security breaches such as the one against Target in late 2013 and another on Nieman Marcus a few months later. The estimated number of cardholders affected by these two breaches topped 110 million. (Incidentally, Nieman Marcus reported a new breach earlier this year.)
While the Payment Card Industry (PCI) requires encryption for cardholder data when in motion or permanent storage, the data has to be decrypted for RAM processing. There’s simply no way to process credit card data without decrypting it first. Temporary a state though that it is, it’s enough time for a RAM scraper to do its work.
Partitioning the POS application from the credit card processing helps address this vulnerability, but even so, hackers can find a way in. And as retailers and restaurants deploy smartphones and tablets for POS and card processing, the potential for data theft increases. When payment card data enters the mobile device, it is as vulnerable as when processed by POS RAM.
In securing POS systems, IT professionals need to think in terms of exfiltration, as opposed to almost exclusively focusing on incoming threats. Hackers can get to POS systems through various paths, such as a breach of the POS device itself, a hack of the WiFi network connected to the POS, or even an attack on a server somewhere in the network. The latter is the most unlikely because it requires a sophisticated level of skill, but it’s not impossible.
Clearly, you have to guard the entry points but it’s unrealistic to expect you can stop 100 percent of incoming threats. Phishing, for instance, is extremely effective because it preys on people’s trust and curiosity, and malware delivered by a phish can make its way to the POS system.
So in addition to monitoring incoming threats, it’s important to also keep an eye on all exit points. You need visibility across all ports used for outgoing data and real-time capability to detect and analyze anomalies that might hint at attempts to steal data. If you can detect and contain data outflow, in addition to safeguarding entry points, you vastly increase your potential to stop POS threats.
With monitoring of outgoing data in place, you can worry a little less about that brief moment when cardholder data is processed without encryption.
Read more about monitoring outbound traffic to stop data loss