[ISN] Ram Scraper Malware: Why PCI DSS Can’t Fix Retail

http://www.darkreading.com/attacks-breaches/ram-scraper-malware-why-pci-dss-cant-fix-retail/a/d-id/1297501 By Brian Riley Dark Reading 7/23/2014 There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data Target, Neiman Marcus, Michael’s, and possibly P.F. Chang’s all have one thing in common: They are recent victims of a type of malware called a RAM scraper that infects point of sale (POS) terminals. These data breaches occurred despite some, if not all, of these merchants complying with industry security standards. In Target’s case, government analysts estimate the total financial impact could reach as high as $12.2 billion. And the fallout continues. Target’s CEO Gregg Steinhafel set a new precedent, marking the first time that the head of a major corporation resigned due to a data breach. Merchants clearly must go beyond merely complying with industry security standards to reduce their risk, especially in relation to POS terminal malware. Why PCI DSS does not apply As you undoubtedly know, point of sale (POS) terminals are computers with card readers. Most computers have permanent storage, such as hard drives or flash memory, and temporary storage, such as random access memory (RAM). The security standard that dictates how payment card data is protected is called the Payment Card Industry Data Security Standard (PCI DSS). It requires merchants to encrypt credit card data residing on permanent storage or traversing its publicly accessible networks, but not while being processed in RAM. […]