Ram Scraper Malware: Why PCI DSS Can't Fix Retail

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/attacks-breaches/ram-scraper-malware-why-pci-dss-cant-fix-retail/a/d-id/1297501

By Brian Riley
Dark Reading
7/23/2014

There is a gaping hole in the pre-eminent industry security standard aimed 
at protecting customers, credit card and personal data

Target, Neiman Marcus, Michael’s, and possibly P.F. Chang’s all have one 
thing in common: They are recent victims of a type of malware called a RAM 
scraper that infects point of sale (POS) terminals. These data breaches 
occurred despite some, if not all, of these merchants complying with 
industry security standards.

In Target’s case, government analysts estimate the total financial impact 
could reach as high as $12.2 billion. And the fallout continues. Target’s 
CEO Gregg Steinhafel set a new precedent, marking the first time that the 
head of a major corporation resigned due to a data breach. Merchants 
clearly must go beyond merely complying with industry security standards 
to reduce their risk, especially in relation to POS terminal malware.


Why PCI DSS does not apply

As you undoubtedly know, point of sale (POS) terminals are computers with 
card readers. Most computers have permanent storage, such as hard drives 
or flash memory, and temporary storage, such as random access memory 
(RAM). The security standard that dictates how payment card data is 
protected is called the Payment Card Industry Data Security Standard (PCI 
DSS). It requires merchants to encrypt credit card data residing on 
permanent storage or traversing its publicly accessible networks, but not 
while being processed in RAM.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/