Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave.
They said the start of it all was a keylogger that got into their systems, as described in this snippet from http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505&subSection=News
----------
"the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords. ...
There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network."
----------
You have to wonder if the keylogger software came in over a network, or if it was carried in by an employee on a USB token, in a laptop they infected while using it at home or while traveling, etc.We're not sure PCI DSS can effectively prevent problems like those, although it can recommend good security practices that reduce the possibility.
PCI DSS mandates that machines that store/process/transmit cardholder information should not have direct Internet connectivity. There shouldn't really be a means for a sniffer to send results back to it's employer over the Internet, so in a way the exploit described does violate PCI DSS.
Also, integrity, anti-virus and event monitoring controls should certainly pick up things like keyloggers and an IDS/IPS/firewall could be used to identify some rather odd connections from certain servers.
They said the start of it all was a keylogger that got into their systems, as described in this snippet from http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505&subSection=News
----------
"the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords. ...
There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network."
----------
You have to wonder if the keylogger software came in over a network, or if it was carried in by an employee on a USB token, in a laptop they infected while using it at home or while traveling, etc.We're not sure PCI DSS can effectively prevent problems like those, although it can recommend good security practices that reduce the possibility.
PCI DSS mandates that machines that store/process/transmit cardholder information should not have direct Internet connectivity. There shouldn't really be a means for a sniffer to send results back to it's employer over the Internet, so in a way the exploit described does violate PCI DSS.
Also, integrity, anti-virus and event monitoring controls should certainly pick up things like keyloggers and an IDS/IPS/firewall could be used to identify some rather odd connections from certain servers.