POS Malware - A Long-Term Mitigation Solution

By Brian Serra ·

It has been reported that the KAPTOXA operation responsible for recent breaches to two major retailers – and potentially more – utilized a variant of BlackPOS malware that some have named Trojan.POSRAM. The malware, installed on point-of-sale registers, collects enough data after the card is swiped to allow the attacker to make fraudulent transactions.

There are many other variants of malware out there that have the same capabilities. And retail POS registers and back-office systems –generally running variants of Windows – are common targets for attackers.

So what is a retailer to do? What long-term strategy should a merchant consider?

Consider looking at the “point of capture"/terminal/POS itself. This can be the best place to start your security initiatives. The terminal is a security-hardened device, and most current models are able to support Point-to-Point Encryption (P2PE).

Hardware-based P2PE is encryption within the security confines of the terminal. Without it, card data is sent in the clear to the next system, leaving the information vulnerable as it goes over network or computer interfaces. However, with P2PE, credit card data is encrypted at the swipe and remains encrypted throughout the merchant’s environment until it reaches a third-party payment gateway or the acquirer.

Once the gateway or acquirer approves the credit card authorization request, a token is sent back to the merchant in response. This token is a stand-in for the actual credit card number and can be stored on the POS system. The token cannot be used to initiate transactions, so the value to an attacker is very low.

P2PE is relatively new to the marketplace but has recently been gaining more adoption given the public breaches over the last few years. P2PE does require a significant investment because all of the payment terminals must be updated; however, it is one of the few solutions out there that renders the data an attacker may obtain pretty much useless.