Data scraping is software. As such it takes time to execute
and that activity should be recognizable in a known processing environment. If
retail payment system software does not check the validity of each interrupt
vector periodically, then the risk for interception of payer data increases. If
retail payment system software does not periodically examine software present
in memory then the risk for interception of payer data increases. If retail
payment system software does not check that the movement of payment data occurs
within reasonable time then the risk for interception of payer data increases.
Checks required for payment
operating systems in a retail environment need periodic examination to
determine its effectiveness against current attacks. Anti-virus software works
against known viruses and that is sufficient for processing of non-payment
data. Processing payment data requires more control at the machine level.
Ideally payment data moves within a limited processing area, configured
precisely for the specific operational environment. There are no open ports not
used for movement of payment data, there are no applications for humans other
than monitors and no ability to access program or memory space in use by
another application.
I think it is time the payment services industry defined
precisely the functions of retail payment operating systems for web and
traditional retailers. We may accomplish this many ways, either by fiat from
the big payment networks or by including a host of industries to create an
international standard. However, leaving the security of payment data to the
whims of retail application developers is disastrous. It is time for a change.
Use of generic operating systems to process financial data is simply too vulnerable to
attacks.
No comments:
Post a Comment