Organisations that handle card payments are at risk from cardholder details being stolen through hacking, card skimming or other methods used by criminals. High-profile cases make the news regularly, but the problem is far more widespread than that and affects businesses of all sizes: the dark truth of a data breach.
Maintaining card machine security while supporting cleanliness
Reducing the potential spread of Covid-19 means raising awareness about the risks associated with touching public-facing surfaces such as card machines and payment points. We have outlined ways to support social distancing and point-of-sale and provided guidance on cleaning your card machines.
Avoid using overlays
Keeping point-of-sale (POS) devices clean should not be a new topic. However, many merchants are increasingly adopting overlays – a wrapping of plastic or another layer – on top of the keypad. While this is done with the best intentions to reduce the spread of germs and protect the device during cleaning, applying any type of cover to a PCI PTS approved device could introduce additional risk, and could be viewed with suspicion by your customers.
- Overlays are a known method of attack that have been used to capture card account and PIN data from ATMs and POS devices. These types of attacks typically involve placing an overlay containing wires or an illegal card reader over the keypad. These overlays can result in an attacker capturing the PIN, skimming the card, hiding tamper evidence, or changing the operation of the terminal.
- Even transparent overlays could conceal the presence of card skimmers or other physical evidence that the device has been compromised. It takes only a small degree of opaqueness to camouflage or conceal the presence of a wire or sensor intended to capture payment card data.
- As the use of overlays poses a security risk to both the merchant and consumer, the Payment Card Industry Security Standards Council (PCI SSC) does not endorse the use of overlays that interact with the entering of a payment card or PIN data. The use of these products also impacts the PCI device approval.
What should I do?
You should consult with your acquirer or payment brand on their position regarding the use of overlays during the current crisis.
Online scams and threats related to Covid-19
Cyber criminals have been more active than ever during the coronavirus pandemic, taking advantage of the situation with more people working from home, businesses operating outside their usual workplaces, and security infrastructures - and taking payments in those same environments.
Social engineering/phishing attacks are the most common right now, according to the U.S. Secret Service. Cyber criminals are exploiting the coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organisations with important information about the infection. Their hope is to trick users into providing confidential data, such as a credit card number, social security number, account number or password.
How to defend against phishing/social engineering attacks
Phishing/social engineering attacks have been around for years. We have created guides to support including how to keep your data secure while working from home, how to keep taking payments securely from outside your usual workplace and how to keep your data secure with the advent of video conferencing.
What merchants should know about P2PE v3.0
Standards relating to Point-to-Point Encryption (P2PE) have been updated. By using P2PE, account data (including a card holder’s details and sensitive information) is unreadable until it reaches a secure decryption environment, which makes it less valuable if the data is stolen in a breach.
A PCI P2PE solution can also significantly help to reduce the PCI Data Security Standard (PCI DSS) validation effort. However, it does not completely remove the need for such validation.
What are the changes in the P2PE Standard and Program?
Version 3.0 of the standard maintains the same approach to protecting payment data as version 2.0 but doubles the amount of component providers which can validate against the standard.
The listing of individual components makes it easier for a solution provider to be aware of and select validated components for integration into their P2PE solution.
This will allow for more outsourcing for the solution and component providers, which will result in more PCI P2PE Solutions being made available.
What does it mean for you?
PCI P2PE Solutions make your data (and those of your customers’) less valuable, and therefore less attractive, to attackers. Use of a PCI P2PE Solution can also allow you to reduce where and how the PCI DSS applies within your business, increasing security of customer data while simplifying compliance with the PCI DSS.
It’s important to note that the P2PE technology that protects their payment data isn’t changing- the changes are aimed to provide more solutions for merchants. Therefore, merchants considering a P2PE solution should not wait for a P2PE v3.0 validated solution. Solutions validated against v2.0 of the Standard will provide the same level of security.
What should I do?
You should consult with your acquirer about selecting and using a PCI P2PE solution.
Updated guidance: responding to a data breach
PCI Security Standards Council - which provides data security standards, support and education, globally - has recently updated its guidance document: Responding to a Cardholder Data Breach.
The updates also align with our own Account Data Compromise guide - intended to help you - with preparation plans to response to an incident, but also as a step-by-step guide should you ever face a data breach. (Available in English, German and coming soon in Polish)
The PCI SSC’s updated guidance covers:
- Implementing an incident response plan: Organisations should ensure effective incident-management controls are in place. PCI DSS Requirement 12.10 requires a thorough incident plan that is properly disseminated. Testing incident response plans is important too.
- Identifying, engaging and working with a Payment Card Industry Forensic Investigator (PFI): If a cardholder data breach has occurred or is suspected, the payment brands may require an independent forensic investigation to be completed by a PFI listed on the PCI SSC website*. Guidance is provided on when to engage a PFI, the independence requirements for PFIs, what to expect from your PFI, how the investigation will be reported and how best to work with your PFI for a thorough and effective investigation. There is important advice on preserving evidence and what access (physical or remote) a PFI may need to complete their work.
- Understanding stakeholder roles and responsibilities in the event of a data breach: Stakeholders in a cardholder data breach event include acquiring banks, PCI SSC, card brands, merchants and third-party service providers. This guide gives an overview of the role and responsibilities of each of these groups in ensuring PFI investigations take place quickly and effectively.
*Note: Only PFIs listed on the PCI SSC website are approved by PCI SSC to provide forensic investigation services in the event of a cardholder data breach.
Is your website still using Magento 1 Software?
If so, we recommend that you take steps to upgrade your website immediately. Find out more here.