PCI Council Issues Malware AlertAlso Provides Updated PCI-DSS Compliance Guidance
The PCI Security Standards Council has issued a bulletin offering insights for mitigating the Backoff POS malware threat (see: 1,000 Businesses Hit by POS Malware). Plus, it's released updated best practices guidance for maintaining PCI Data Security Standard compliance.
In its Aug. 27 bulletin, the PCI Council warns organizations about the risks associated with the Backoff point-of-sale malware. The alert follows an advisory from the Department of Homeland Security on Aug. 22, which estimated that more than 1,000 U.S. businesses have had their systems infected by Backoff, a new point-of-sale malware that has been linked to numerous remote-access attacks.
Backoff malware, the PCI Council notes, "has already resulted in large amounts of cardholder data being compromised and transmitted to criminal organizations."
To mitigate the malware threat, the PCI Council recommends that organizations:
- Contact anti-virus providers and ensure the organization has the most up-to-date version of the software to detect Backoff and other similar malware;
- Run the anti-virus solution immediately;
- Review system logs for any unusual or unexplained activity, especially large data files being sent to unknown locations;
- Update all default and staff passwords on systems and applications.
The PCI Council also recommends the use of point-to-point encryption, among other steps, to guard against malware threats.
Best Practices Guidance
On Aug. 28, the PCI Council released its Best Practices for Maintaining PCI DSS Compliance Information Supplement guidance to ensure ongoing security for cardholder data.
"Recent breach incidents highlight ... the increasing importance of building a culture of continuous security and vigilance to protect payment card data at all times," the council says.
The guidance, developed by a special interest group of more than 150 organizations, recommends, among other steps:
- Maintain the proper perspective, viewing the security of cardholder data as the driving objective behind PCI-DSS activities, as opposed to just a checkbox activity;
- Emphasize security and risk, not just compliance;
- Develop strategies to continuously monitor and document the implementation, effectiveness, adequacy and status of all security controls;
- Detect and respond to security control failures; and
- Create performance metrics to measure the success of security practices.
The supplemental guidance also includes examples of publicly available governance framework resources that can be used to complement PCI-DSS controls to enhance the overall effectiveness of an organization's cardholder data security program.
"Building a culture of continuous security and vigilance is vital to meet the intent of the PCI DSS, which is safeguarding payment card data at all times," says Bob Russo, general manager of the PCI Standards Security Council. "Merchants and others can use this resource to make a strong business case for prioritizing payment security as business-as-usual, not a one-time effort."