Chapter 5

Penetrating Security Free Zones

If you give to a thief he cannot steal from you, and then he is no longer a thief.

—William Saroyan

PCI security standards put the responsibility for implementing security controls on the payment processing industry—merchants, payment gateways and processors, and software vendors. An interesting trend is emerging, however, where instead of requiring payment system vendors (either hardware or software—in this case, there is no big difference from the merchant's viewpoint) to supply secure systems “out of the box,” the standards allow multiple vulnerabilities to be built into software and hardware by design. At the same time, merchants are required to implement security controls that compensate for the lack of security in their payment systems. The merchants hope that security comes from the software and hardware vendors, who are in turn relying on the merchants to secure their own store environments. The results: multiple security breaches. Examples of this scenario include unprotected data in memory, unencrypted local network traffic, and other vulnerabilities, which are discussed in this chapter.

Payment Application Memory

In November 2009, Visa issued its Data Security Alert called “Targeted Hospitality Sector Vulnerabilities” where the biggest payment card brand admitted that “the increasing use of debugging tools that parse data from volatile memory suggests that attackers may have successfully adapted their techniques to obtain payment ...