Background Facts:

• examination of a data breach involving hardware that was possibly not PCI DSS compliant.

Relevance to Business Activities:   

• security - technical safeguards considerations:
  • merchant allegations:
    • espresso chain, Brew HaHa! alleged:
      • it purchased POSitouch version 5.27;
      • by the time it was installed by CC Productions, POSitouch had already released version 5.29:
        • the difference in versions is that version 5.27 stored full card data while 5.29 did not.
      • at the time of installation, no one from CC Productions:
      • informed Brew HaHa! that there was a more current version available; or
      • advised the organisation to update or upgrade;
      • at no point after purchasing the system did Brew HaHa! ever receive any advisories or warnings about the system no longer being compliant with evolving standards;
      • when CC Productions installed the system, they:
        • enabled remote desktop software so that they could manage it;
        • did not change the default user logins and passwords; and
        • did not advise the organisation to change them.
      • a forensic examination of the system noted:
        • the default configuration use of usernames and passwords;
        • the firewall had “excessive” ports open;
        • a keylogger had been installed in 2009;
        • full cardholder data going back a few years was stored in the system:
          • while there was a tool that could delete stored cardholder data, CC Productions:
            • never used the tool; 
            • did not advise the organisation to use the tool.
      • it was notified that one of its locations was a common point of purchase in a number of fraud reports, which resulted in realisation that:
        • its hardware was not PCI DSS compliant.
  • response from the software manufacturer:
    • POSitouch stated:
      • its product was PCI certified;
      • the credit card industry has been imposing new PCI standards for protecting cardholder data from theft:
        • card processors have added provisions to their contracts with merchants that:
          • require them to secure cardholder data in all forms; and
          • makes the merchant responsible for stolen card numbers.
      • it was no longer in the business of storing cardholder data permanently:
        • it stopped storing any card processing information altogether.
      • for users of the POSitouch application that purchased prior to the existence of PCI standards:
        • updates have been available to meet these requirements.
      • installing PCI compliant software was only one small piece of the merchant’s responsibility to meet their contracted obligation with their card processor, merchants were expected to:
        • secure their computer system’s network with commercial grade firewalls;
        • use properly supported operating systems;
        • have vigorous password controls; and
        • clean data accumulated from the pre-PCI era.

• breach response considerations:
  • in response to reports of fraud at Brew HaHa! locations, the organisation:
    • immediately stopped accepting credit and debit cards in that shop;
    • posted a letter to its customers to alert them to the breach; and
    • ordered stand-alone terminals for all stores.

Source Documents:

http://www.databreaches.net/?p=11932

http://www.databreaches.net/?p=11943