Pierluigi Paganini September 12, 2016

The Payment Card Industry Security Standards Council (PCI Council) updates its standard to reduce fraudulent activities against PoS systems.

The number of credit card frauds involving Point-of-Sale continues to increase, in the last months, numerous attacks targeted retails and hotels worldwide.

The Payment Card Industry Security Standards Council (PCI Council) has responded with the definition of a new standard to reduce fraudulent phenomena, the organization plan to improve the security of PoS systems by making them upgradeable in an easy way.

Last week, the PCI council issued the version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements.

A close look at the standard allowed the experts to notice the new requirements for the payment industry, in particular:

• The adoption of a new control that allows the upgrade of the firmware running on PoS readers. “The device must support firmware updates. The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted”
• Core Physical Security Requirements also include Tamper-proofing items so that the device can become inoperable in response to an attack. “The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings.”;
• The devices have to be immune to side-channel attacks (i.e. monitoring of electromagnetic emanations) that could result to leaking keys;
• The device must execute self-test upon start-up to verify anomalies that could bring it in a compromised state. “The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours.”

The new standard aims to contrast the intensification of card skimming attacks and intends to improve the security of the payment industry.

Banks are observing a similar trend, the popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase of skimming attacks for both American and European banks.

“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”

The FICO Card Alert Service issued several warnings about a spike in ATM skimming attacks.

On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

PoS devices that are hard to upgrade represent a serious problem for the payment industry. Upgradeable card-reading kit are expensive and the lack of proper security posture retards the adoption of necessary countermeasures. Making card readers upgradeable should mean a significant improvement of the point of sale security.

The banking industry continues to be under attack, recently chip-and-PIN technology started to be adopted in the US because it would improve the security of the customers, merchants, and financial institutions.

The new standard will be effective from September 2017 and will replace the current version 4.1.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PCI Council er tools,  cybercrime)