As I predicted in previous posts, the wave of card data breaches is growing and sweeping away everything (meaning, above all things, PCI-compliant merchants) in its path. Brian Krebs stated in his blog that the point of sale software, which is created by Signature Systems and used by Jimmy John's and other retailers for payment processing, was not PCI (PA-DSS) compliant as its formal validation expired in 2013. This fact can be a good excuse for PCI Security Council to blaim the merchants again and say that the breach was made possible because they were not PCI compliant. We all know this isn't true, and PCI compliance wouldn't help them to avoid the breach, as it didn't already for many others. In most cases, including those recent breaches, the attack is done using RAM scraping, aka memory parsing - a special technique that exploits the payment application vulnerability which cannot be mitigated by PCI standards.
Slava Gomzin
Author of books Crypto Basics, Bitcoin for Nonmathematicians, Hacking Point of Sale
RSS Feed
Copyright © 2011-2022 Slava Gomzin
