PCI Free Blog

Hackers Remotely Insert Malicious Data Collection Software

Following the goals and requirements of the PCI DSS and maintaining PCI compliance markedly reduces your risk of a customer data compromise.  Hotels and motels (a.k.a. “lodging” merchants) are among the most frequently targeted industry types in cases of card holder data theft.  In a recent incident a Colorado-based chain of hotels and resorts with 21 locations nationwide was breached.  Three dozen guest were victimized when their credit card and other personal private information was stolen and sold anonymously on the internet.  This was only the tip of the iceberg however.  Authorities believe over 700 of the resort’s customers among the parent company’s 21 hotel and resort locations may have been affected.  The parent company’s computer systems were hacked into by thieves who are still at large and unidentified.  Authorities are contacting recent guests they think may have also been victimized.

An ABC news report stated that the theft of this data allowed the hackers to steal hundreds of thousands of dollars.  The entry point of the security breach has been fixed, but authorities suspect that many of the credit card numbers have been sold online, as this is a common tactic hackers use to generate money.  It is also likely that these card numbers have been fraudulently used at other businesses before being reported stolen.  This will result in those merchants losing both the product or service and the payment for the product or service rendered.  As you can see an ever widening circle of innocent victims radiates outward from the data compromise.  Even merchants that strictly follow the requirements of the PCI DSS and properly maintain their PCI compliance will be virtually unable to detect fraud if they process a stolen card number prior to the issuer cancelling that account number. 

The parent company stated that they detected a malicious software program that was remotely inserted into its credit card processing system.  Proper PCI compliance procedures, which include a schedule of periodic network scans, updates, and malware detection sweeps may have led to discovery of the unauthorized software program before so much damage was done.  An outside security consulting firm had to be called upon, at great expense to the compromised merchant, in order to correct the problem that allowed the breach to occur.  You can count on the company maintaining its PCI compliance from now on.

Contrary to conventional wisdom, point-of-sale (POS) systems are more frequently targeted and compromised than e-commerce (internet) processing systems.  Small business owners who process using stand alone dial up POS systems don’t have to worry about malicious software being remotely loaded into their machines since these devices cannot receive an inbound communication. 

Whether you are a huge merchant processing thousands of credit cards or a mom and pop store that only processes sporadically, PCI compliance and an understanding of the PCI DSS requirements and recommendations is critical.  What are you waiting for?  PCI compliance affords peace of mind and is free at PCI Free dot com.

This entry was posted in PCI Compliance, Point-Of-Sale Equipment. Bookmark the permalink.

Leave a Reply