![]() The key is supposed to ensure that fraudsters who know a bank customer’s PIN can’t simply embed the data into any chip-enabled blank card and use it to withdraw money from the customer's account. ![]() The chips also hold a secret key that validates the card to the bank. The cards contain an embedded security chip that verifies the customer’s PIN when he or she enters it on a keypad. consumers to chip-and-PIN cards by April 2013. Both MasterCard and Visa announced earlier this year that they would be migrating U.S. The other two models of terminals, designed for use with chip-and-PIN cards, have different vulnerabilities being exploited.Ĭhip-and-PIN cards became mandatory in the UK in 2006 and will become widely deployed in the U.S. Once they have access to the device, the researchers found that the terminals, which use an operating system based on Linux, have a vulnerability that would allow an attacker to change applications on the device or install new ones in order to capture card date and cardholder signatures.Ī VeriFone spokesman said that the demonstration on the MX780 used an older version of the system's software, and that the "issue is not present on subsequent systems software." He did not respond to questions about when the fix had been made. The researchers noted that there are also wireless versions of the terminals that communicate with a store's network via WiFi. But the researchers found that the terminals do not authenticate the servers with which they communicate, so the researchers were able to design a man-in-the-middle attack that tricks the terminal into communicating with their rogue server and allows them to download malware to the device.Īlthough an attacker would have to be on the same network as the device to conduct this attack, the devices are set up to periodically connect to the remote server as well as connect during reboot, providing easy access to the machines once the attacker is on the network. The other two devices match Vx models of terminals made by VeriFone.Īccording to the researchers, the MX780 model, widely used in the U.S., has remote administration capability that allows the devices to communicate regularly with a server. The device is VeriFone's MX780 point-of-sale terminal. However, if you’d like to fully integrate the payment process within your site, you may have to go with a more expensive virtual private or dedicated server, which are typically PCI compliant.Although the researchers declined to name the brands of terminals they examined, and had taped over the names on the devices to prevent audience members from seeing them, VeriFone's name popped up on the touchscreen device after the system rebooted and the firmware displayed its launch page. And you may want to consider a hosted payment solution even if your Web hosting plan is compliant, in order to reduce the security measures you must take. But you may be able to get away with using one (that’s even non-compliant) if you choose a hosted payment solution where customers are forwarded to a compliant site to enter their credit card details, such as PayPal Standard, 2Checkout, or Authorize.Net. You’ll likely have a tougher chance of achieving PCI compliance if you use cheaper shared hosting plans due to the way the servers are divided among multiple website owners. For ecommerce applications and shopping carts, you can refer to the List of Validated Payment Applications from the PCI council. Some Web hosting companies publicly post their compliance details on their website, but in many cases you’ll have to ask the sales or support department. ![]() If you sell products or take payments via your website, choose a PCI compliant Web hosting plan and ecommerce or shopping cart application. If you must store the data yourself, remember you’ll have to follow many more security measures, and you can never store the sensitive authentication info: full magnetic stripe data, the security code, or the PIN. If you need to keep cardholder data for reoccurring billing or other required business purposes, check with your payment processor to see if they offer options that allow you to input and store the data on their systems. Never store a credit card’s authentication info. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |