Malware: The best defense is a good offense

By Stephen W. Orfei, General Manager, PCI Security Standards Council

    Stephen W. Orfei

Malware has been the culprit behind many high profile retail breaches over the last year. Media stories have incorrectly blamed vulnerabilities in point-of-sale (POS) devices. The real security holes have been on back-office PCs attached to payment systems. These devices were susceptible to malware insertion due to out-of-date software, infrequent patching, and reliance on anti-virus programs with out-of-date signature files.


You recognize the signs? The good news is that these breaches are preventable.

Cyber criminals love preying on weak targets like these. It's like grabbing low-hanging fruit on a ripe tree. While the malware might be customized to a specific target, the attack methodologies and exploits are not sophisticated. By using layered security controls and exercising continuous vigilance, retail organizations can button up their payment systems against hack and attack.

The cost of subpar security is high. It's not just the obvious direct losses related to the fraudulent charges. Businesses can also lose customer trust, incur damage to brand image, and lose sales. The Council urges organizations to make cardholder data security a priority – and move the focus on compliance beyond a point in time event to a continuous "business as usual" effort.

To help educate organizations about malware, the Council has created an infographic of best practices to repel malware intrusions based on PCI Standards. These include:

  • Use the latest anti-virus software and keep patches up to date
  • Review system logs manually or use an automatic tool to check for suspicious activity
  • Update all default and staff passwords with secure passwords
  • Talk with POS device vendors and IT partners to understand the options for minimizing risk to data using encryption; consider implementing a PCI-approved device that supports the secure reading and exchange (SRED) of data, and a PCI-approved point-to-point encryption (P2PE) solution
  • Confirm that all third party vendors are properly implementing and maintaining security controls outlined in the PCI Data Security Standard

As General Manager Stephen Orfei leads the PCI Security Standards Council in its mission to increase payment data security globally through development and delivery of standards, solutions and services for merchants, banks and other key stakeholders involved in the global payment card transaction process.