The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against "Backoff," a malware tool that was used in the massive data theft at retailer Target last year.
The bulletin instructed all covered entities to update their antivirus suites and to change default and staff passwords controlling access to key payment systems and applications.
The council, which is responsible for administering the PCI security standard, also urged merchants to inspect system logs for strange or unexplained activity, especially those involving transfers of large data sets to unknown locations.
"The PCI Council additionally recommends that merchants consider implementing PCI-approved point-of-interaction (POI) devices" for encrypting credit and debit card data as the card is swiped or dipped into a payment terminal. Merchants should also consider deploying point-to-point encryption technologies to ensure that card data remains protected until received by a secure decryption facility, the advisory noted.
Companies that have been compromised by Backoff should notify their banks immediately, the council stated.
The bulletin reflects the growing concerns within the payment industry over Backoff, which hackers use to steal payment card data from point-of-sale (POS) systems.
The malware was released last October but remained undetected by antivirus tools until this month.
The U.S. Department of Homeland Security and the U.S. Secret Service believe that Backoff has already infected POS systems at more than 1,000 small, midsize and large businesses, including Target and Neiman Marcus. More than 40 million payment cards were compromised in the Target breach alone, while the Nieman Marcus compromise exposed data on some 1.1 million cards.
In a bulletin issued last week, the DHS and the Secret Service said they had responded to "numerous incidents" over the past year involving Backoff. So far, seven vendors of POS systems have confirmed that multiple customers were affected by the malware, the bulletin said.
Last week's bulletin was a follow-up to one released by the DHS and the Secret Service in July warning businesses about Backoff's use in targeted attacks against U.S. retailers. The bulletin warned of attackers taking advantage of commonly used enterprise remote access tools to break into retail POS systems and plant the Backoff malware.
The PCI bulletin appears to have been sparked by news that the malware is much more widespread than had been previously assumed, said James Huguelet, an independent PCI security consultant.
All of the steps outlined in the PCI council bulletin are standard measures, Huguelet said. "But sometimes it takes a wake-up call such as this to remind everyone in the payment-processing chain of how important they really are."
What's interesting about the PCI council bulletin is the specific mention of end-to-end encryption of payment card data, Huguelet said.
"Mandating [end-to-end] encryption would completely eliminate the threat posed by Backoff within the payment processing chain," but so far the council has not taken that step, he said.
Gartner analyst Avivah Litan said the bulletin will likely make little difference.
"The damage has already been done and PCI compliance processes did not stop this attack" she said. "There's no new rules or mandates here -- they are just trying to show that they are relevant and that they already have rules to prevent such attacks," she said.
Just requiring retailers to become PCI compliant is not enough to mitigate risk in the payment system, Litan added. "The PCI Council and the card brands, banks, payment processors need to make the payment system more secure and stop putting all the responsibility on the retailers to patch an inherently flawed system."