Helping merchants deal with the growing threat of POS malware is one of the biggest challenges facing Troy Leach, CTO of the PCI Security Standards Council, who says the BlackPOS malware threat, in particular, "is keeping me up at night."
Version 3.0 of the PCI Data Security Standard include mandates for POS malware mitigation and ensuring third-party security, Leach explains. But despite the fact that current data security standards specifically address malware mitigation best practices, many organizations continue to struggle with compliance.
"I definitely think there are certain requirements that are more challenging for some organizations than others to comply with," Leach says during an on-site interview with Information Security Media Group at the PCI Community Meeting.
"Compliance with the PCI-DSS is the best way to ensure we can detect malware and keep it out of the system," he says.
Many retailers are struggling to determine how to ensure they include enough security requirements in their contracts with third parties. And they must ensure the contracts they have in place are frequently updated to address emerging security risks, Leach says.
The PCI Council is working to issue updated guidance and provide more programs to help merchants ensure ongoing compliance, he says.
And in the wake of recent retail breaches, including the cyber-attack against Home Depot, Leach says the council is looking to help retailers identify and address security gaps.
The BlackPOS Threat
BlackPOS, which is believed to have compromised Target Corp., Sally Beauty and possibly Home Depot, is a big worry for retailers and security practitioners. Because BlackPOS encrypts the card data it exfiltrates, even when retailers know they've been compromised, they have a hard time determining exactly what information has been taken, Leach says.
"BlackPOS is keeping me up at night," he says. "Once it gets in, it's hard to detect."
So the PCI Council is working with security forensics teams to discuss how best to mitigate the BlackPOS threat. Then the council will provide more risk management advice for merchants and others, Leach says.
During this interview, Leach also discusses:
- Requirements within the PCI-DSS surrounding POS terminal security mandates, such as the automated resetting of firmware;
- Why the PCI council issued new guidance surrounding POS and ATM skimming attacks; and
- Payments variations that have made quick-serve restaurants and the hospitality industry prime targets for hackers.
In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, he led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.