Lack of PCI & PA-DSS Compliance in Recent POS Vendor Breach
The PCI DSS (Payment Card Industry Security Standard) requires that retail organizations only use Payment Application Data Security Standard (PA-DSS) compliant solutions for processing credit card holder data information.
But as KrebsonSecurity.com reported, Jimmy John’s was not using a currently compliant solution. Their POS system was a solution provided by Signature Systems called PDQ POS. The software allowed for touch-screen ordering, letting cashiers send orders to their kitchen directly, and was also used by numerous small pizzerias around the country.
According to a security update posted by the company, an unauthorized person stole a username and password that they used to remotely access POS systems of their clients; effectively installing malware to steal payment card data. This breach affected 216 Jimmy John’s locations, in addition to 104 independent restaurants, with the most breached located in Virginia and Pennsylvania.
PA DSS Compliance Issues for POS Software
PDQ POS wasn’t cleared for use for new installations after the date October 28, 2013, according to the PCI SSC (Security Standards Council) that listed the software’s compliance expiration date. While PA-DSS was updated in November 2013, per the PCI DSS update to version 3.0, it’s unclear whether or not the date of expiry is related to the new versions.
However, DSS 3.0 was to become effective with validation assessments starting January 1 of this year. And, compliance validation against 3.0 become mandatory on December 31, 2014, effectively making version 2.0 extinct on the same date, according to Verizon’s 2014 PCI Compliance Report. That means it’s possible the software had just passed its time of expiration, unrelated to the new versions.
Another point of worry comes with the fact that PDQ POS was listed as validated against PA-DSS version 1.2, which is not even close to version 3.0. Plus, Brian Krebs reports that the third-party security assessment company that attested to the POS software’s compliance was actually the only company to have their own PA-QSA (Payment Application Qualified Security Assessor) status revoked by the PCI SSC effective in 2011.
Furthermore, an FAQ posted by the PCI SSC reveals that they reached out to vendors with products previously assessed by the no-longer PA-QSA company (Chief Security Officers), meaning the Council may have actually notified Signature Systems that their product was no longer compliant - whether that was before or after the sale and installation of their POS software to the Jimmy John’s locations is unclear, and kind of irrelevant. The responsible business decision would likely involve notifying their clients as soon as they were informed that their product was no longer PCI DSS compliant.
Two-Factor Authentication Required for PCI DSS Compliance
For even more PCI headaches, read on. A statement to Krebs from a Jimmy John’s representative reveals their remediatory security actions include:
As part of our broader response to the security incident, action has already been taken in those 13 stores, as well as the other impacted locations, to remove malware, and to install and assure the use of dual-factor authentication for remote access and encrypted swipe technology for store purchases.
While commendable for detailing the specifics of their tactics after the breach, it’s also quite revealing of what they may have lacked in their original configuration. The statement indicates that they didn’t implement proper authentication security at the time of the breach, which is outlined clearly in PCI DSS version 3.0 (PDF), requirement 8.3 that dictates the use of two-factor authentication to secure any remote access to POS systems, specifically -
Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
Supporting the importance of this requirement, the Verizon 2014 PCI Compliance Report stated that:
DBIR analysis suggests that simply using something other than single-factor username/password credentials would have likely thwarted 80% of the hacking attacks we investigated.
The report finds that 62 percent of report respondents were fully compliant with PCI DSS 8.0 in 2013, a rise from the year prior when only 22.6 percent were fully compliant. Verizon attributes this to the rise in awareness and understanding of two-factor authentication; stating that authentication security tools have since become more available to security administrators and users alike.
As such, it’s possible Jimmy John’s was not compliant at the time of the breach, in addition to using a non-compliant POS software validated by a defunct PA-QSA company. And that’s just a few too many nons to ensure security for a large franchise company, even if each location is independently owned and operated.
For more on franchisee security responsibility, including coverage of the Home Depot, Dairy Queen, Goodwill and Supervalu breaches, check out Franchise Data Breaches: Risking the Brand for Franchisee Autonomy.
For more on POS security, check out:
U.S. Gov Recommends 2FA for POS Remote Access Security
POS Remote Access Software: Vulnerable Without 2FA
Default Passwords: Breaching ATMs, Highway Signs & POS Devices
Target Breach: Vendor Password Exploit
POS Malware: A PCI Nightmare