Most data breaches involving payment card information - and there have been too many in the last two years - can be traced back to a lack of implementation of security measures.
Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now. Many merchants have very immature security programs.
Most breaches involved the exploitation of very simple vulnerabilities, and many of the merchants hit have very immature security programs, Charles Henderson from Trustwave and David Byrne from Bishop Fox have noted in their presentation at RSA Conference 2015. "Future breaches are likely to leverage more complex vulnerabilities as merchants become more secure," they posited, but so far, they have been found doing things like:
Finally, they offered some tips on how to implement a good PoS security program, and it includes ensuring that no payment card data is stored on registers, enforcing strong authentication policies, not running PoS user interface as “administrator," and keeping software up-to-date and constantly downloading fresh AV signatures.
In addition to this, they say it's a good idea to evaluate the security of data communication, test application servers for vulnerabilities, lock down the client execution environment, use key/certificate-based authentication, and end-to-end encryption with asymmetric keys.
Axarhöfði 14,
110 Reykjavik, Iceland