PCI Updates Security Guidance with Focus on Firmware

Point of Sale Terminal
RSA said it 2015 that it detected an attempt to compromise a Point of Sale vendor, raising concerns about supply chain based attacks. The PCI Council is now requiring more supply chain controls for POS systems.

In-brief: The Payment Card Industry Security Standards Council (PCI Council) is raising the bar for the security of point of sale systems, with a big focus on the software (or “firmware”) that runs those systems. 

The Payment Card Industry Security Standards Council (PCI Council) is raising the bar for the security of point of sale systems, with a big focus on the software (or “firmware”) that runs those systems.


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


The PCI Council this month released updated “modular security requirements: for the PIN Transaction Security (PTS) Points of Interaction. The new document strengthens security requirements for vendors who make point of sale systems, with new mandates to allow secure updates of firmware and prevent so-called “side channel” attacks that extract sensitive information from seemingly innocuous emissions like power consumption patterns.

[Read more Security Ledger coverage of Point of Sale system security.]

The new document (PDF) comes in the wake of attacks on point of sale systems at major retail and hospitality chains. In just the last month, malware outbreaks were reported on point of sale systems used by HEI Hotels and Resorts and Kimpton Hotels. Add to those the Starwood Hotels chain,  Trump Hotels, Hilton hotels and the luxury Mandarin Oriental, among others.

The PCI Council guidance attempts to address point of sale security on more than one front.
Guidance about maintenance of device firmware was added to the guidance to “deal with the increasing complexity of device designs.” The new guidelines use a more flexible definition of firmware to ensure the PTS evaluation scope includes any code that can be construed to be firmware.

Among other things: point of sale systems vendors are required to review firmware prior to shipping using a “documented and audit-able process” that ensures the devices do not have “hidden and unauthorized or undocumented functions,” the guidelines say.

Additionally, point of sales devices have to support firmware updates and “cryptographically authenticate the firmware” before it is installed. So too any applications loaded onto the point of sale terminal.

The new standards also contain rigid safeguards to prevent supply chain attacks. Point of sale manufacturers are required to have change-control procedures in place. Among them, documentation and proof that firmware is “protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle.” For example, using dual control or standardized cryptographic authentication procedures to secure the firmware.

Manufacturers are also required to assemble the device such that any components used are assured of being authentic. The PCI Council said that it conduct site inspections and use its own labs to validate compliance, the Council said.

In March 2015, researchers at Cisco reported the discovery of a piece of malware, dubbed PoSeidon, that was designed specifically to compromise point of sale systems. In April of that year, the security firm RSA described a sophisticated “spear phishing” campaign against a European point of sale vendor, which RSA said was part of the PoSeidon campaign identified by Cisco in March.