Visa USA Presentation Template and User Guide
Contents
1. Payment Processing Threats Impacting Grocery Store Merchants April 2013 Disclaimer VISA The information or recommendations contained herein are provided AS IS and intended for informational purposes only and should not be relied upon for operational marketing legal technical tax financial or other advice When implementing any new Strategy or practice you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances The actual costs savings and benefits of any recommendations or programs may vary based upon your specific business needs and program requirements By their nature recommendations are not guarantees of future performance or results and are subject to risks uncertainties and assumptions that are difficult to predict or quantify Assumptions were made by us in light of our experience and our perceptions of historical trends current conditions and expected future developments and other factors that we believe are appropriate under the circumstance Recommendations are subject to risks and uncertainties which may cause actual and future results and trends to differ materially from the assumptions or recommendations Visa is not responsible for your use of the information contained herein including errors omissions inaccuracy or non timeliness of any kind or any assumptions or conclusions you might draw from its use Visa makes no warranty express or implied an2. Entry Device PED Tampering VISA Cases Number of PED tampering cases increasing Criminals target merchants with certain PED models Attacks on older vulnerable PEDs and newer PED models Wireless models becoming a target small and large merchants often multiple stores targeted Swap out PEDs with altered PEDs Attacks are more sophisticated amp technically advanced Recent attacks involved VeriFone Everest and Ingenico i8070 PED models However new PED models are being targeted Evidence of technology being exported globally PED Tampering usually involves Asecond mag stripe reader or Keypad membrane connection to existing reader Bluetooth device Additional circuit board s Flash memory chip or drive Preventive Measures for PED Tampering VISA e Replace vulnerable PEDs as quickly as possible e Train staff to regularly inspect PEDs visually to identify anything abnormal such as e Missing or altered seals or screws e Extraneous wiring holes in the device or the addition of labels e Overlay material used to mask damage from tampering e Ensure PEDs are physically secured locked down to counters Review Visa s Terminal Usage Best Practices Point of Sale Terminal Tampering IsaCrime and You Can Stop It Point of Sale Terminal Tampering Is a Crime ae and You Can Stop It Increasingly criminals with sophisticated tools are actively targeting vulnerable merchant point of sale POS terminals t
3. Identified Security Deficiencies E Vulnerability Applicable Requirement Network Security Default or no firewall router rules Requirement 1 No DMZ Requirement 1 Insecure remote access no 2 factor authentication Requirement 8 Host based Security Insecure operating systems and databases Requirement 6 No patching Requirement 6 No or outdated anti virus signatures Requirement 5 No password management or access control lists ACL Requirement 7 Use of default or shared usernames and passwords Requirement 2 No system logging Requirement 10 No file integrity monitoring Requirement 10 Application Security SQL injection other web based exploits Requirement 6 No secure coding independent code review or penetration Requirement 6 testing process in place Incident Response No incident response plan Requirement 12 General No monitoring of systems logs access control etc Requirement 10 Lack of network segmentation has contributed to multiple location breaches Source Data breach forensic reports Visa Public Intruder Footprints VISA e Malicious software Memory parser malware that hooks on POS binaries FIM with no password Intruder whitelisted malware executable to prevent detection e Malware propagation Used existing script to deploy malware at individual locations Auto login enabled Credentials stored in the clear text on Windows registry Anti forensic employed Logs deleted Enc
4. involvement in cardholder data breach Dates and or timeline may change Merchants previously involved in a breach may qualify if they have completed subsequent PCI DSS validation Visa Public Managing Liability VISA Liability shift rewards the entity making the investment in EMV It is nota mandate to issue or accept chip cards ee ee S x es a F lt 2 Guide and Enforce Technology Acquirer ATM amp AFD Innovation Chip POS Liability Shift Liability Shift Security Standards Program TIP Processing Visa intends to establish a U S liability shift for domestic Liability Shift and cross border counterfeit POS transactions lf a card is contact chip capable and the merchant has oduct Type not invested in chip liability for counterfeit fraud will shift ll ad to the Acquirer Liabilit The chip card s counterfeit fraud protection plus the liability Contact Chip or Magstripe Only Shifts from shift encourage issuer chip adoption by providing dynamic Dual Interface Issuer to authentication that helps better protect all parties Acquirer The liability shift does not cover Note When a chip on chip transaction occurs Cards without a contact chip in the unlikely event there is counterfeit fraud Card not present transactions liability follows current Visa International Lost and stolen fraud Operating Regulations Dates and or timelines may change Visa Public What To Do If Compromised VIS
5. 376A650224AA43DFA N A Binary payload for apocalipto backdoor 49 664 9A460FA6F9F56415E3BA23667718039D MSTDC BAK Apocalipto backdoor 106 496 67ED156E118B9AA65ED414A79633A3D4 N A Binary payload for apocalipto backdoor 49 152 751363A08365925B7C7A4ED8755B090D rtcli dll Downloader and Internet Explorer information stealer 118 272 4BD819D9E75E4E8ECF1A9599F44AF12A mstsk exe DNS based backdoor 45 568 43D77242910BABE51CB12C25371CC5AC Visa Public Attack Prevention Overview VISA e Network Security e POS Security e Administrator Accounts Incident Response Network Security VISA Apply a defense in depth approach to protect the most critical resources on your network including POS systems Limit access to only network ports and services that are necessary to perform desired business functions segregate the payment processing network from other non payment processing networks Users with administrative access should use two factor authentication when accessing the payment processing networks Apply access controls on the router configuration to limit unauthorized traffic to the payment processing networks Implement strict inbound and outbound filtering on the firewall rule sets Visa Public POS Security VISA e Implement P2P PEDs e EMV capability e Secure Reading and Exchange of Data SRED e Hardware based encryption e Install PA DSS compliant payment applications e Deploy the latest version of operating system and en
6. A e Take compromised system off the network If you must rebuild system take a forensic image prior to rebuild Review firewall configuration and disable any unnecessary inbound and outbound traffic Pair down ACLs ports and services between PCI and non PCl environment Create strict ACLS segmenting public facing systems and backend database systems that house payment data e g DMZ Change all passwords on the network including applications and local accounts Review all access to the payment processing environment and terminate connectivity What To Do If Compromised VISA e Notify your acquiring bank e Engage a PCI Forensic Investigator PFI https www pcisecuritystandards org approved companies opr oviders pci forensic investigator ohp e For more information please refer to Visas What To Do If Compromised available at www visa com cisp under the If Compromised section e You can also contact Visa Fraud Control and Investigations at ustraudcontrol visa com or 650 432 2978 option 4 Questions
7. Processing SRO SL Promote adoption of dual interface chip terminals Counterfeit fraud liability shift applies to contact only and dual interface Global 1Dates and or timelines may change Visa Europe announced a corresponding program Visa Public Encouraging Terminal Adoption VISA Building processing infrastructure for chip and mobile acceptance S i ee 0 ee a i 0 F lt ee 10 by A Technology Acquirer Security Innovation Chip POS Liability Shift ATE T Standards Program TIP Processing Liability Shift gt TIP recognizes and incents merchant chip Mandate for U S acquirer processors and investments while maintaining expectation for sub processor service providers to support merchants to protect cardholder data chip processing effective April 1 2013 Participation results in cost savings by waiving Acquirers must certify the ability to comply the annual PCI DSS validation exercise Visa will require support of Field 55 and Eligible merchants must meet all of the minimum additional related chip fields for VIP authorization qualification criteria messages between the acquirer and Visa PCI DSS compliance or remediation plan Acquirers should also ensure downstream No storage of prohibited data connections certify to their own platforms prior At least 75 percent of merchants transactions to the deadline must originate from dual interface chip terminals and can process end to end chip transactions No
8. d explicitly disclaims the warranties of merchantability and fitness for a particular purpose any warranty of non infringement of any third party s intellectual property rights any warranty that the information will meet the requirements of a client or any warranty that the information is updated and will be error free To the extent permitted by applicable law Visa shall not be liable to a client or any third party for any damages under any theory of law including without limitation any special consequential incidental or punitive damages nor any damages for loss of business profits business interruption loss of business information or other monetary loss even if advised of the possibility of such damages Visa Public 2 Visa s Multi Layered Strategy VISA Mitigating fraud through continuous leadership coordination and investment Maintaining and enhancing stakeholder trust in Visa as the most secure way to pay and be paid Protect vulnerable account data an d ES e Execute risk strategies for emerging products Partnership and channels Minimize fraud in the payment system Monitor and manage events that occur Visa Public Agenda VISA e Common Security Deficiencies Intruder Footprints e Attack Prevention e PED Tampering Cases e Preventive Measures for PED Tampering e Authentication Roadmap What To Do If Compromised e Questions Visa Public 4 PCI DSS Requirements VISA Commonly
9. emory parser malware 97792 2 bfffa7d034a94b79d3e6fidda50084 mn32 exe Prefetch file indicating execution of the malicious code 179200 89a8844c1214e7 c97 7f026be675a92a R Visual basic script used by hacker to deploy malware onto 2772 40efe7632b01116eefaba438c9bcee34 POS systems sd32 exe Anti forensic utility to remove malware from POS systems 134000 9c3a1d3829c7a46d42d5a19fe05197f3 73728 cfee737692e65e0b2a358748a39e3bee TcpAdaptorService exe Memory parser malware 118784 85f94d85cfeff82fa1 8d55491e355d2b CMOS edessoe O2 Seen Gamer will Vey Cel uo ans Oo te 122880 4b9b36800db395d8a951331c4608e947 send track data to bad IP oposwin exe Memory parser malware 245760 3446cd1f4bee2890afc2e8b9e9eb 6a2 svcmon exe Memory parser malware 253952 Offf9 72080248406 103f2093b6892 134 Visa Public 9 Indicators of a Compromise IOC VISA File Size Purpose bytes nYmTXGSJhLLFfagQ bat Batch file used to whitelist malware executables on FIM 74 eae4718ea5a860cc372b5728e96af656 tocsvc exe Performs cryptographic operations 293583 1aa662d329cc7c51d2e91 76024fedees mssec exe Attempts outbound communication via port 443 135242 d7ed5e85ccb6c7 1a39b99a922831 3cc33 msproc exe Malicious unknown purpose 184128 2e567707730ed2c76b162a9 7dcf28c05 mpw exe Custom password dumping utility based on pwdump6 151552 03462BD6A6008205264995BDEFEB027C msrclr42 dll Part of mpw exe package 71824 4373855E29C40458552AB0463C3D4C4B mstdc exe Apocalipto backdoor 64 512 57703973FF74503
10. emove a PED and install a modified device in less than one minute Recommended Mitigation Strategies All VeoFone Everest Plus users are encouraged to unnrade to systems that feature the most up to date security Visa Public Merchant Best Practices to Prevent Skimming VISA 1 Implement a terminal authentication system to detect Security Standards Council internal serial number or connectivity changes 2 Secure terminals PEDs to counters to prevent removal and secure cable connections 3 Inspect and secure PEDs within unattended self checkout lanes 4 Use terminal asset tracking Information Supplement Skimming Prevention procedures for devices Best Practices for Merchants deployed stored and shipped 5 Secure stored PEDs and validate inventory against asset records www pcisecuritystandards org documents skimming_prevention_ S pdf Visa Public Authentication Roadmap VISA U S EMV chip roadmap supports three primary opportunities 1 Build framework for mobile payments and future innovation leveraging EMV infrastructure for both contact and contactless payments 2 Support interoperability and improve authorization decisions as EMV adoption continues to grow worldwide 3 Reduce reliance on static data and incidence of counterfeit fraud B by es O ee a ic a 2017 U S Guide and Enforce Technology Acquirer Security Innovation Chip POS Liability Shift oe oe Standards Program TIP
11. o steal payment card data and PINs for counterfeit fraud purposes That s the bad news The good news WWW VI Sd CO m cisp is that all acquirers merchants and processors can take appropriate steps to eliminate POS terminal weaknesses and the possibility of POS tampering Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable Visa Public Compromised PIN Entry Device List VISA e Review PEDs in use to identify any known vulnerable devices e Visa Bulletin available on www visa com cisp e Take precautions to secure all PEDs in use or in storage Visa Security Alert Help Protect Cardholder Data From Attacks on PIN Entry Devices U S o promote the security and integrity of the payment system Visa is reminding clients merchants and payment system participants of their responsibility to protect cardholder account and PIN data Criminals trying to obtain cardholder account and PIN data at the point of sale POS frequently target PIN Entry Devices PEDs that are Known to be vulnerable Last year Visa alerted clients that the VeriFone Everest Plus PED was used in tampering and skimming attacks Evidence indicates that these devices were removed from the point of sale and replaced with modified devices designed to capture magnetic stripe card and PIN data which was then transmitted to criminals wirelessly surveillance footage shows that the suspects were able to r
12. rypted output file using strong encryption Visa Public 6 The Attack Flow UNAUTHORIZED ACCESS Target of convenience VPN credentials targeted company users or third party Visa Public 7 ESCALATION amp MODIFICATION Root level access on corporate network Map out internal networks target DCs POS system and scripts Modification to FIM PROPAGATION amp CLEAN UP Using existing scripts and hard coded password on POS propagate malware to other store locations Install other tools to delete hacker activities VISA EXFILTRATION Malware created files are encrypted and exfiltrated out of network Method of exfiltration using existing ports e g 443 with no filtering Vulnerabilities VISA e No two factor authentication on user access VPN Remote access e Lack of segmentation from corporate to store locations e Outbound firewall configuration allow connection to any IP on the Internet gt Domain controllers targeted e Excessive permissions Insecure POS systems FIM with no password auto login No incident response in place to detect malicious activity sooner Visa Public 8 Indicators of a Compromise IOC VISA File Size Purpose bytes rtcli dll Information stealer downloader 118272 4bd819d9e75e4e8ecf1 a9599f44afi 2a mstdc exe Backdoor 64512 57703973ff74503376a650224aa43dfa mstdc bak Backdoor 106496 67ed156e1 18b9aa65ed41 4a79633a3d4 msaudit dll M
13. sure it is up to date with security patches anti virus FIM HIDS e Perform a binary or checksum comparison e Disable unnecessary ports and services null sessions default users and guests e Enable logging of events and make sure there is a process to monitor logs on a daily basis Visa Public POS Security Continued VISA Implement least privileges and access controls lists ACLS on users and applications on the system e Implement a security policy that includes operating system security configuration The policy should include the following Security installation guide Password management guide to manage users on the system Mechanism to ensure consistent security baseline on critical systems Visa Public Administrative Accounts VISA e Use two factor authentication when accessing the payment processing networks e Limit administrative privileges on applications e Periodically review systems local and domain controllers for unknown and dormant users e Apply same security on database users Visa Public Incident Response VISA e Deploy Security Information and Event Management SIEM e Review logs and offload to a dedicated server e g syslog and ina secure location where hackers cant tamper with logs e Invest in an incident response team e Knowledge e Training e Certification e Test your incident response plan Implement IOC signatures on your solution Visa Public PIN
Download Pdf Manuals
Related Search