Chapter 5
Penetrating Security Free Zones
If you give to a thief he cannot steal from you, and then he is no longer a thief.
—William Saroyan
PCI security standards put the responsibility for implementing security controls on the payment processing industry—merchants, payment gateways and processors, and software vendors. An interesting trend is emerging, however, where instead of requiring payment system vendors (either hardware or software—in this case, there is no big difference from the merchant's viewpoint) to supply secure systems “out of the box,” the standards allow multiple vulnerabilities to be built into software and hardware by design. At the same time, merchants are required to implement security controls that compensate for the lack of security in their payment systems. The merchants hope that security comes from the software and hardware vendors, who are in turn relying on the merchants to secure their own store environments. The results: multiple security breaches. Examples of this scenario include unprotected data in memory, unencrypted local network traffic, and other vulnerabilities, which are discussed in this chapter.
Payment Application Memory
In November 2009, Visa issued its Data Security Alert called “Targeted Hospitality Sector Vulnerabilities” where the biggest payment card brand admitted that “the increasing use of debugging tools that parse data from volatile memory suggests that attackers may have successfully adapted their techniques to obtain payment ...
Get Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.