PCI Council urges retailers to protect against malware

Wakefield, Mass. – In light of the recent announcement of the “Backoff” malware threatening the POS security of retailers, the PCI Council strongly encourages companies as a matter of urgency to consider the following recommendations:

1. Contact your provider of antivirus solutions and ensure you have the most recent and up to date version of antivirus software that will detect “Backoff” and other similar malware.

2. Run this solution immediately.

3.  Review all system logs for any strange or unexplained activity, especially large data files being sent to unknown locations.

4. Require all default and staff passwords on systems and applications to be updated. Provide good guidance on choosing a secure password (see PCI Data Security Standard Requirements 2,8).
Should systems be found to be infected or unusual activity suspected, companies should contact their acquiring bank immediately.

Regarding malware specifically, the PCI Council recommends that organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard (PCI DSS) 3.0:

• Proper firewall configuration — Requirement 1

• Changing vendor defaults and passwords on devices and systems — Requirement 2

• Regularly updating anti-virus protections — Requirement 5

• Patching systems — Requirement 6

• Limiting access and privileges to systems — Requirements 7,9

• Requiring 2-factor authentication and complex passwords — Requirement 8

• Inspection of POS devices — Requirement 9

• Monitoring systems to allow for quick detection — Requirements 10, 11

• Implementing sound security policies for preventing intrusions that may allow malware to be injected — Requirement 12

• Managing third-party access to devices and systems, and specifically remote access from outside a merchant’s network — Requirements 8, 12
PCI standards provide layers of defense to ensure businesses can prevent, defend and detect attacks on their systems. The PCI Council advises that daily coordinated focus on maintaining these controls, making payment card security a business as usual practice — provides a strong defense against data compromise.