PCI SSC Releases Security Guidance on Protecting POS Terminals
The onslaught of low-tech breaches and malware targeting retail organizations has prompted government officials, security experts and the compliance regulators to pay attention as they realize that we need to up our game when it comes to defending against the latest threats to customer payment data.
The latest move comes from the PCI SSC (Payment Card Industry Security Standards Council); they recently published updates to a document to help retailers secure their point-of-sale (POS) terminals, called Payment Card Industry (PCI) Terminal Software Security (PDF). PCI DSS requires merchants or anyone dealing with payment card data to secure their environments according to their prescriptive list of standards.
But the PCI SSC may have realize that there could be better guidance for POS terminals, as this document outlines security measures involved in the development of software designed to run on PCI PTS (pin transaction security) POI (point of interaction)-approved devices, including payment and non-payment applications, EMV kernals and other libraries, and third-party (open source) software.
Establish Roles to Ensure Security
One of the first guidelines they offer is to establish certain roles on the software development team - most importantly, they recommend appointing a ‘security champion;’ the technical person with the primary responsibility for keeping up-to-date with threats that could affect the software, and for ensuring that secure coding standards are maintained and being used.
The other roles include the software developer, peer reviewer, and the release authority (the person responsible for approving the final software before release). Along with these roles, each has to be trained in secure coding practices and policies, as well as informed of the latest threats to the industry.
Implement a Secure Software Development Process
For reference, the PCI SSC included a diagram to show how the cycle of software development should include security and testing practices:
The PCI SSC provides an entire list of terminal software best security practices and sub-practices for more detailed and prescriptive security controls. Here’s a few:
- Document all software, including interfaces, system architecture, and more
- All software should well-structured and commented
- Establishing a rigorous change management system
- Maintain, write and use stringent secure coding standards
- Stringent secure coding standards specific to payments should be written, maintaned and used
- The application should support and enforce the use of unique user rights, separating administrative from operator functions.
- The use of hardcoded passwords is prohibited
- If the application or third-party app uses external libraries, gems or other open-source resources, they should be obtained from a reliable source
They also provided guidance for device-level testing and internal process reviews, with more guidance on how to test to ensure each control is implemented accurately.
In October, the White House also took steps toward more secure payment transactions by signing in the executive order, BuySecure, which requires agencies to use multiple factors of authentication whenever using web apps to provide citizens with personal data. They also emphasized the importance of an effective identity-proofing process to ensure only authorized persons receive access to personal data.
Another aspect of the overall BuySecure initiative is to implement chip and PIN technology to secure consumer-government transactions, by requiring the new technology for cards issued to government employees and upgrading retail payment card terminals at federal agency facilities to accept chip and PIN-enabled cards, according to a blog from WhiteHouse.gov.
The EMV technology is a standard used internationally for authenticating credit and debit card transactions, a joint effort between Europay, MasterCard and Visa to ensure the security and interoperability of chip-based payment cards. According to SmartCardAlliance.org, the U.S. is one of the last countries to migrate to EMV.
However, adopting EMV is not the only sure way to stop the prevalence of data breaches, and the recommendations of the PCI SSC and the federal government on cybersecurity reflects that sentiment with a nod to many other security steps that need to be taken - including security training, secure coding, documentation, testing and a focus on access controls and authentication security.
Learn more about the new risks to payment card data, with a few security recommendations to boot:
Avoiding Catastrophic Data Breaches in the Retail Industry
In this guide, you’ll learn:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.