Forgotten Apps Pose PCI Danger, Visa List Shows

Tucked away in forgotten corners of your network sits a wide range of old, forlorn applications. Beyond collecting electronic cobwebs, these apps potentially pose one of the most serious threats to your data security.

Visa routinely compiles a list of applications that, it believes, store sensitive authentication data after a payment has been authorized. Many app versions on this "Bad Apps" list are outdated and no longer being sold. But that doesn't mean they are not lying around in hidden corners of quite a few major—and some not-so-major—retail chains.

Perhaps it's an app that was inherited through an acquisition. Maybe it was used for a trial that was aborted. But when someone resurrected that trial, the company simply continued to use the now out-of-date version it initially ran on. Maybe a smaller chain used the app and never bothered to update it.

No matter the reason, this list serves as an effective heads-up for retailers so they can look for these old app versions. The latest edition of the list—dated June 2—details applications from 31 software vendors, including some of the largest in retail: IBM, Micros, NCR, Radiant and VeriFone, among others. In many cases, these are older versions of applications that are indeed certified compliant with PA-DSS (PCI Payment Application Data Security Standard, which replaces the old Visa Payment Application Best Practices, known as PABP). However, a decent minority of the apps—especially those from outside the U.S.—do not have any PCI-compliant versions.

(See the full list of apps that Visa sees as retaining prohibited data.)

Even for those apps that have newer compliant versions, the status of the older versions vague. After all, the PCI Council also has a "Good Apps" list of approved applications. If the council says a vendor's versions 5.8 and more recent are compliant, it might mean that only those versions were tested. This view suggests that the earlier versions may or may not be safe. The Bad Apps document goes further, however, and strongly implies that the application does indeed retain such prohibited data.

Retailers could theoretically just take the safe route and only use application versions that are listed on the public compliant list, which is what PCI Columnist Walt Conway advocates.

The Bad Apps list is not one that Visa wants to be too easy to get. Indeed, the brand would rather the list only be available through its acquirers. Visa stamps these updates to acquirers "this list is not to be published publicly" and "when sharing this list, acquirers must not publish the list to a Web site or to a place where the list may be made publicly available."The list is not directly shared with retailers (at least Visa doesn't), but acquirers are permitted to share the information with retailers. Why not share the full list with retailers so they have the best information? The security argument falls flat, because it's not a list of merchants at which the old apps are still used. Surely, the benefit to the community's security is advanced more by making it easier for retailers to rid their systems of these troublesome relics.

Apps on the list don't necessarily consistently retain prohibited data. Here's the exact wording from the document: "product version that may retain sensitive authentication data." However, one person who works with Visa said the list includes either apps known to retain prohibited data or apps that were involved in a data breach.

Yes, there is a slight risk of cyberthieves searching for the riskier versions in retail systems. It's not much of a concern, however, because of the effort-to-benefit ratio. But if that's a real security issue, then Visa's publishing an approved list that says "version 5.2 and above is compliant" pretty much telegraphs to the bad buys what they need to seek. In short, it's a problem regardless of whether the Bad Apps list is disclosed.

The list is also not necessarily 100 percent accurate. One app on the list, for example, is osCommerce 2.1. It seems to be the only open-source application on the list, and it is also the only item on the list that mentions neither a patch nor a certified version. But the list gives January 2008 as the date the product was either published or updated, even though 2.1 was replaced by 2.2 seven years ago (back in 2003), according to Kym Romanets. Romanets is the CEO of OzeWorks, the company that has commercialized the open-source osCommerce.(See Frank Hayes' column, Why Open Source Drives PCI Nuts)

Beyond the date, Romanets said she disagrees that even the older version of the app retains prohibited data, although she added that one part of the program might have confused Visa into thinking it did.

"The only area that Visa might have issue with was the provision of a demonstration payment module, which did store credit card details in the database and was not PCI compliant because it was not meant to be," Romanets said. "It was for demonstration purposes and clearly marked 'Not For Production Use.' osCommerce has removed this module and it is not available in the current MS2.2 RC2a download."

Given the existence of patches for many of these versions, the discovery of a version number on the Bad Apps list doesn't necessarily mean it's a problem. But upgrading or replacing that version is probably not a bad idea. After all, it can be hard to quickly determine whether a patch had indeed been applied. It seems simpler to just upgrade the whole app.

Here is Visa's Bad Apps Version list, as of June 2, 2010:

  • ACI Worldwide. OpeN/2. All versions prior to V6.2.
  • Affiliated Computer Services. WebPRCS. All versions prior to V7.0.
    Omnimatic V3.1, 2.1.
    PRCS-TIM. All versions prior to V4.0.
    PRCS-PC. All versions prior to 6.1.
  • AutoGas. AutoGas Regal. All versions prior to Streamline 2 V4.10.
  • CAM Commerce Solutions. Profit$. All versions prior to V3.5 release 9.
  • Comdata. Trendar. All versions prior to V617.
  • Emporos Systems. MerchantSoft POS V7.0.0.3c.
  • Elavon, formerly Southern DataComm. ProtoBase Client Suite for Windows with SofTrans. All versions where NetSend V2.0.0.49 and lower were implemented.
    ConnectUp. All versions.
    PopsOn. All versions.
    ProtoBase V4.80.xx.
    ProtoBase V4.7x.xx.
    PBAdmin V4.01.xx.
    PBAdmin V5.00.xx.
  • Excentus. Reward Fuel Controller. All versions prior to V3.0.
  • First Data, formerly ICVERIFY. ICVERIFY for Windows V2.x.
  • Focus POS Systems. Focus POS. All versions prior to V6.11.23.
  • Gilbarco Veeder-Root. Passport. All versions prior to V6.00.xx.
    G-SITE ADS G-SITE ADS--Chicago. All versions prior to V22.1.0.3.
    G-SITE Concord/Buypass. All versions prior to V6.4.03.
    G-SITE Exxon Mobil. All versions prior to and including V4.8.38.
  • Gilbarco Veeder-Root, formerly Gasboy International. CFN III PLUS (NBS, Paymentech, Buypass) V3.5.
  • HighTech Payment Systems. PowerCARD-Switch V1.0-2.0.
  • HotSauce Technologies. HotSauce Restaurant Management Solutions (RMS). All versions prior to V5.9.6.1.
    EVS V1.
  • IBM. ACE Electronic Payment Support (EPS) V6. All levels prior to S106.
    ACE Electronic Payment Support (EPS) V5. All levels prior to P150.
    ACE Electronic Payment Support (EPS) V4. All levels prior to N166.
    ACE Electronic Payment Support (EPS) V3. All levels prior to M207.
    StorePay. All versions prior to V5.0.
  • Integrated Business Systems. Club Management System V6.42.0.0.
  • ISD. Message Sentry V1 for iSeries.
    Message Sentry V1 for Unix.
    Message Sentry V1 for Mainframe.
    Payment Switch Framework Authorization & Settlement Suite V1.0.
  • MenuSoft. Digital Dining. All versions using a DDServ.dll file prior to V7.3.0350.
  • Micros. 8700 HMS V2.70 through V2.70.14*.
    8700 HMS V2.50 through V2.50.20*.
    8700 HMS V2.11.0 through V2.11.9*.
    8700 HMS V1.00 through V2.10.
    9700 HMS. All versions prior to V2.50.
    Opera Enterprise Solution V5.0.
    Opera Enterprise Solution V4.0.1.
    Opera Enterprise Solution V4.04.02.
    Opera Enterprise Solution V3.6.1E03.
    RES V3.2.0*.
    RES V3.1.0*.
    RES V1 through V3.0.
  • Multi-Systems. WinPM V1.90.
    WinPM V1.80.
    WinPM V1.63.
    WinPM V1.62.
  • NCR. ScanMaster. All 2.1.xx.xx Versions prior to V2.01.00.30.
    ScanMaster. All 2.0.xx.xx Versions prior to V2.00.03.12.
    ScanMaster. All 1.2.xx.xx versions prior to V1.2.3.26.
    ScanMaster V1.1.6.xx.
  • osCommerce. osCommerce V2.1.
  • Posera. Maitre'D. All later versions prior to V2005 Service Pack 3.
    Maitre'D. All versions prior to V2003 Service Pack 11.
    Maitre'D. All versions of V2002.
  • Postilion (S1 Corp.). Realtime Framework. All versions prior to V4.2 Service Pack 3.
  • Radiant Systems. Aloha Suite. All versions prior to V5.3.15.
    RPOS (Petroleum and Convenience Stores). All versions where sites accept debit card transactions at the Island Card Reader higher than and including V5.3 and V6.6.
  • Retail Pro International. Retail Pro V9.00.xx.xx through V9.14.xx.xx.
    Retail Pro. All versions prior to and including V8.52.xx.xx.
  • SpeedLine Solutions. SpeedLine POS. All versions prior to and including V4.3.
  • TAM Retail, a division of Lode Data Systems. The Assistant Manager. All versions prior to V9.0.
  • TSYS Acquiring Solutions. POS PARTNER. All versions.
  • VeriFone. Ruby PTIPAK (Chase Paymentech). All versions prior to V4.00--Base 161 PABP.
    Ruby, Topaz Buypack (First Data) V4.01.xx.
    Ruby, Topaz Buypack (First Data) V2.10.xx.
    Ruby, Topaz Buypack (First Data) V2.09.xx.
    Ruby, Topaz Buypack (First Data) V2.08.xx.
    Ruby, Topaz (Store & Forward Fleet and Debit) Buypack (First Data) V4.07.xx.
    Ruby, Topaz (Store & Forward Fleet and Debit) Buypack (First Data) V4.06.xx.
  • Xpient Solutions. IRIS V3.7.6 through V3.7.14.