Retail malware: PCI-DSS is part of the problem, says retail security specialist Slava Gomzin

PCI-DSS fails to address widespread use of memory-scraping malware

When the Payments Card Industry Data Security Program (PCI-DSS) was first introduced in 2004, the move was in response to a series of breaches that demonstrated how exposed credit and debit card information could be at retailers, large and small, that hadn't properly considered cyber security.

The standard, which has been widely criticised as a prescriptive and expensive tick-box exercise, sought to address those security breaches in the early 2000s in order to make sure they could never happen again.

And, initially, it was successful: the publicity surrounding the attacks and how they had been perpetrated, together with the detailed check-list provided by PCI-DSS, helped retailers to tighten up their security.

The trouble is, says Slava Gomzin, a retail security expert and the author of "Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions", because PCI-DSS measures were essentially backward looking, they have proved increasingly ineffective at helping organisations protect against a range of emerging threats to their PoS systems - despite frequent point upgrades to the PCI-DSS standard.

"The problem with PCI-DSS is that it initially put some controls around the cardholder data that is stored on the hard drive. That's because 10 years ago, most of the security breaches were associated with card details stolen from hard drives because it was the easiest way to get card data: just penetrate the network, look for a PoS machine and copy the information from the hard drive," says Gomzin.

"PCI-DSS specified controls around that, but didn't throw any significant controls around computer memory, network communications or application code, so these areas are still not protected," he adds.

Gomzin's warning comes after a series of new attacks on retailers' PoS systems, most recently at US restaurant chain PF Chang, and eight months after US retail chain Target was spectacularly cracked and the details of more than one million credit and debit cards stolen.

"When you swipe a card at the PoS, in most applications the cardholder data - the primary account number, the cardholder name and the expiration date - are readable in computer memory in clear text. And, furthermore, they are sent between the PoS system and the card authoriser in clear text; it's not encrypted," says Gomzin.

"And this is compliant with the PCI-DSS standard," he emphasises. "In fact, most of the merchants that have experienced card-data security breaches recently, such as Target, were PCI-DSS compliant."

Dave Birch, founder and "global ambassador" at payments consultancy Consult Hyperion, believes that a new approach is needed.

"I think the days of spending more and more on security like PCI-DSS are drawing to an end. The PAN- [permanent account number] centric card solutions will soon be replaced by chip and pin, tokenisation and new (identity-centric) alternative mechanisms," says Birch.

Belatedly, the US is taking steps towards chip-based cards to hold data in an encrypted form, replacing the unencoded magnetic stripe synonymous with payment cards since their introduction more than 50 years ago. But this will take years to complete and will still only protect one element in the payment process. Merchants' hardware, too, will also need to be updated.

More importantly, though, says Gomzin, is that chip-based cards cannot protect online transactions any better against fraud - yet it's the online transactions that increasingly require extra protection.

"After EMV [the chip-and-pin standard] was introduced in Europe, 'brick and mortar' fraud fell and online fraud grew," says Gomzin. Once the US (finally) adopts chip-and-pin, though such cards in Europe will finally be able to ditch the magnetic stripe, making them much more secure, Gomzin believes that hackers will turn their attention to it in earnest - and uncover and exploit a plethora of new vulnerabilities.

To fully secure PoS systems, advises Gomzin, organisations ought to implement the kind of point-to-point encryption of card data deployed in cash machines, which is available from such companies as Magtek, Thales, Shift4 and T-Sys - but perhaps using something stronger than the Data Encryption Standard (DES) or Triple-DES.

Birch suggests that there are essentially just two ways to improve the security of payment data at the PoS. "One is to make the payment data harder to steal [this is, broadly speaking, the PCI-DSS approach] and the other is to make the stolen data harder to use [by making it useless].

"Up until now the industry has focused on the former. Uncharitable people might say that this is because it allows the financial services side of the business to transfer some of the costs on to the retail side of the business, but the latter is overall more cost-effective because it does not depend on security at every intermediate stage.

"This is why tokenisation, mobile phones and digital identity offer a way forward that is better for everyone," says Birch.

That, though, would require a big change in the way that people think about payments and, for many people familiar and comfortable with the status quo, would require a huge leap of faith.