Visa has released an updated report on security breaches. It shows clearly that, within the retail industry, level 4 franchises are being breached the vast majority of time (96-97% from January 2009 to June 2010). Restaurants and lodging/hotels make up about 35% of those breaches.
A proposed explanation for this is “Many Corporate Franchisors have traditionally fallen outside the scope of Merchant and Agent PCI DSS validation programs”. One might conclude from that statement that those who fall inside the scope of compliance are breached far less than those who are outside.
The most common breach attack vector is said to be keyloggers and memory parsers. Default accounts, mis-configured network settings (e.g. direct remote access to a database with cardholder information), and single-factor remote access also are cited as contributing factors. Web attacks are relatively low. Eight countermeasures are suggested:
- For remote access, consider two-factor authentication
- Utilize host / application / network based Intrusion Detection Systems (“IDS”). Ensure sound notification system is in place
- Utilize host / application / network based Intrusion Prevention Systems (“IPS”). Ensure sound notification system is in place
- Ensure antivirus, anti-spyware and anti-malware software are up-to-date. Ensure sound notification system is in place
- Implement file integrity monitoring to detect and alert security personnel of unauthorized file changes
- Periodically reboot Point-of-Sale systems to clear volatile memory
- Include patch management, password management and the overall security configuration
- Regular application penetration tests are essential in combating known vulnerabilities (including SQL injection, Cross-site scripting, etc.)
A new category has thus been created by Visa (Corporate Franchise Servicer) to address these breaches. It will not increase requirements for any entity already validating PCI DSS compliance.