The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against "Backoff," a malware tool that was used in the massive data theft at retailer Target last year.
The bulletin instructed all covered entities to update their antivirus suites and to change default and staff passwords controlling access to key payment systems and applications.
The council, which is responsible for administering the PCI security standard, also urged merchants to inspect system logs for strange or unexplained activity, especially those involving transfers of large data sets to unknown locations.
"The PCI Council additionally recommends that merchants consider implementing PCI-approved point-of-interaction (POI) devices," for encrypting credit and debit card data as the card is swiped or dipped into a payment terminal. Merchants should also consider deploying point-to-point encryption technologies to ensure that card data remains protected until received by a secure decryption facility, the advisory noted.
Companies that have been compromised by Backoff should notify their banks immediately, the council stated.
The bulletin reflects the growing concerns within the payment industry over Backoff, a malware tool used by malicious hackers to steal payment card data from point-of-sale systems.
The malware was released last October but remained undetected by antivirus tools until this month.
The U.S. Department of Homeland Security and the U.S. Secret Service believe that Backoff has already infected PoS systems at more than 1,000 small, medium and large businesses, including Target and Neiman Marcus. More than 40 million payment cards were compromised in the Target breach alone while the Nieman Marcus compromise exposed data on some 1.1 million cards.
In a bulletin issued last week, the DHS and Secret Service said they had responded to "numerous incidents" over the past year involving Backoff. So far, seven vendors of point-of-sale systems have confirmed that multiple clients were affected by the malware, the bulletin said.
Last week's bulletin was a follow-up to one released by the DHS and Secret Service in July warning businesses about Backoff's use in targeted attacks against U.S. retailers. The bulletin warned of attackers taking advantage of hackers exploiting commonly used enterprise remote access tools to break into retail point-of-sale (POS) systems and plant the Backoff malware.
The PCI bulletin appears to have been sparked by news that the malware is much more widespread than had been previously assumed, said James Huguelet, an independent PCI security consultant.
All of the steps outlined in the PCI council bulletin are standard measures, Huguelet said. "But sometimes it takes a wake-up call such as this to remind everyone in the payment-processing chain of how important they really are."
What's interesting about the bulletin is the council's specific mention of end-to-end encryption of payment card data, Huguelet said.
"Mandating [end-to-end] encryption would completely eliminate the threat posed by Backoff within the payment processing chain," but so far the council has not taken that step, he said.