Is PCI Effectively Preventing Fraud?Experts: Grocer's Card Compromise Highlights PCI Gaps
The source of compromise: self-service checkout lanes. Like pay-at-the-pump gas terminals and ATMs, self-service payment terminals are easy targets for fraudsters.
Lachlan Gunn, who heads up the European ATM Security Team, says POS skimming in retail is a growing concern in Europe as well. "Skimming at unattended self-service terminals has been fairly widely reported at petrol stations, railway ticket machines and parking ticket machines," he says.
Fraudsters typically compromise card readers and PIN pads via two methods. One method uses a physical overlay that skims card details while a nearby camera captures PINs as they're entered on the PIN pad. The other method requires the attacker to replace the PIN pad with one that's been manipulated to record details or compromise the PIN pad by opening it and adding chips that record or wirelessly transmit details as their entered.
According to Save Mart's website, tampered card-readers at self-service checkout lanes in 19 Lucky Supermarkets locations and one Save Mart store were discovered during routine maintenance. When the tampering occurred and the type of device or method used to compromise the terminals was not explained. But Save Mart says it has replaced readers on all of the affected terminals and has added additional security to POS card readers in all of its 234 locations soon after the tampering was discovered.
McAfee consultant Robert Siciliano says most retailers fail to focus on real-world security threats, like skimming. "Merchants are spending their energy just barely being [PCI] compliant, but far too many aren't even that," he says.
PCI PTS: A Hollow Solution?
Andrew Jamieson, technical manager with Witham Laboratories, an independent provider of information security evaluations and consulting to organizations throughout Asia-Pacific, says PCI-DSS compliance can protect card readers, if they aren't swapped. And full compliance with version 3.1 of the PCI PIN Transaction Security requirements, passed in May 2010 by the PCI Security Standards Council, likely would have prevented the Save Mart compromise. "If the data is being transmitted in the clear out of the device, compromise can occur," he says.
If readers contain a secure-reading-and-exchange of data module, then card data is encrypted even after it leaves the POS.
Jeremy King, European regional director for the PCI Security Standards Council, says the PCI PTS standard encompasses unattended terminals, and security guidance for merchants is included in the standard. He also suggests retailers invest in emerging technology designed to thwart skimming attacks at self-service devices, like the ones compromised at Save Mart.
"There are anti-skimming devices now becoming available that can detect the presence of a skimming device, because a lot of the skimmers these days, they tend to transmit the data," even if they are installed inside terminals, hidden from view. [See An End to Pay-At-The-Pump Skimming?]
But other experts disagree.
Martin McKeay, a former PCI quality security assessor who now works on the security intelligence team at web-security provider Akamai, says PCI-DSS and PCI PTS do not address PIN pad security. "PTS might offer some protection against the attacks on Save Mart, but it is a companion compliance measure to PCI-DSS, not something that merchants are responsible for complying with," he says. "PTS covers the software and hardware of PIN pad devices and offers suggestions of how merchants should implement them, but the PCI-DSS has very little guidance or compliance guidelines that have to be followed and assessed at the merchant sites."
Transmissions from the PIN pad should be encrypted, and PTS requirements do support the encryption of data in motion. But as McKeay points out, the Save Mart breach appears to have resulted from a compromise of the PIN pads and card readers themselves, not the network. "If the PIN pad is compromised, no level of encryption at the network level is going to safeguard the credit card data," he says. "PTS would only offer limited defense against compromising the device directly."
Mike Urban, who oversees product management for Fiserv's Financial Crimes division, says PCI has prevented criminals from hacking into transaction environments. But fraudsters have gotten around this by capturing card data before it is secured at the terminal. "This is another reason for the U.S. to push forward on the migration to chip and PIN [or the Europay, MasterCard, Visa standard] technology," he says.