Security Bulletins

2017 Alerts

Visa Security Alert: Flokibot Malware Kit Targets POS Devices in LAC
Multiple information security firms have reported on the emerging threat of a new malware variant identified as “Flokibot. Recently, two Flokibot campaigns compromised integrated point-of-sale (PoS) devices and other systems of multiple Brazilian merchants. Although we have no confirmation of other compromises, merchants in other countries”including Australia, Paraguay, Croatia, the Dominican Republic, Argentina, and the U.S.”were also reportedly targeted. …Read More

…………………………………………………………………………

2016 Alerts

Visa Statement: EMV at the pump
Visa makes a change to the U.S. domestic EMV activation deadline for Automated Fuel Dispensers
The introduction of chip card technology has been the most far-reaching change to payments in the last 60 years in the U.S. Visa has been committed to this effort because chip is an important advancement in securing payments and provides the foundation for future innovation. Across the globe, chip technology has been proven to prevent counterfeit fraud, which is the most common type of fraud that results from the massive data breaches that have become regular news headlines in the past 10 years. Chip also lays the foundation necessary for payment systems to support the future of payments, including mobile, biometrics, and risk-based authentication. …Read More

…………………………………………………………………………

MasterCard Statement: Update on U.S. Chip Card Migration “ Automated Fuel Dispenser Liability Shift
The introduction of chip card technology has been the most far-reaching change to payments in the last 60 years in the U.S. Visa has been committed to this effort because chip is an important advancement in securing payments and provides the foundation for future innovation. Across the globe, chip technology has been proven to prevent counterfeit fraud, which is the most common type of fraud that results from the massive data breaches that have become regular news headlines in the past 10 years. Chip also lays the foundation necessary for payment systems to support the future of payments, including mobile, biometrics, and risk-based authentication. …Read More

…………………………………………………………………………

Visa Bulletin: Eight-Digit User Bin will be Implemented in April 2022
Effective with the April 2022 VisaNet Business Enhancements release,
Visa will begin assigning eight-digit issuer BINs and will require all clients to process using the new eight-digit BIN structure. Technical requirements will be included in the VisaNet Business Enhancements Global Technical Letter and Implementation Guide.

Note: Visa will continue to assign six-digit numerics to acquirers. To avoid confusion with the eight-digit BINs assigned to issuers, these six-digit numerics will be renamed “Acquirer Identifiers.… Read More

…………………………………………………………………………

On Monday, 8 August 2016, Oracle Security informed Oracle MICROS customers that it had detected malicious code in certain legacy MICROS systems. Oracle is currently investigating the compromise, and as of 12 August 2016, the company has not published details about the cause/s.

Visa is issuing this alert to provide indicators of compromise (IOCs) associated with cybercrime threats known to have previously targeted Oracle systems. This data security alert may be disseminated to all payment system stakeholders.

Click here for full text.

…………………………………………………………………………

Visa has highlighted two security issues regarding Magento vulnerabilies and PoSeidon POS malware in the following data security alerts:

VISA Payment Fraud Disruption Technical Analysis | Poseidon Malware Persistence Monitoring

Visa Security Alert | Mageneto vulnerabilities Affecting Ecommerce Merchants

Magento is a popular open-source, e-commerce platform written in PHP. Several critical and high vulnerabilities were discovered and patched on the Magento platform in January 2016. Merchants who have not deployed security patch SUPEE-7405, as required by PCI standards, are vulnerable to remote exploits that can compromise account data.
In March 2016, the PoSeidon (point-of-sale) PoS malware was modified with the incorporation of a persistence monitoring capability. PoSeidon malware now actively monitors the PoS system processes in order to maintain the infection and malware functionality. If the malware is removed from the system, the monitor process waits two (2) minutes and re-infects the system.

………………………………………………………………………..

PCI DSS 3.2 Resource Guide
The Payment Card Industry Security Standards Council (PCI SSC) has published a new version of the industry standard that businesses use to safeguard payment data before, during and after purchase. PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1 to address growing  threats to customer payment information. Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect  and respond to cyberattacks that can lead to breaches. Click here for answers to key questions about updates to the standard, timelines, and resources available for understanding and adopting PCI DSS version 3.2.


2015 Alerts

Small Merchant Security Program Requirements “ UPDATE
As part of a broader effort to mitigate small merchant breaches, Visa Payment System Risk established new data security program requirements for U.S. and Canadian acquirers. Visa announced the new mandates for acquirers on 29 October 2015 via the Visa Business News. To provide acquirers and merchants with additional time to adhere with program requirements, Visa is adjusting compliance deadlines as follows¦ Read More

PCI SSC Announces New Migration Dates for SSL and Early TLS
In April 2015, the PCI Security Standards Council (SSC) removed SSL and early TLS as an example of strong cryptography in PCI Data Security Standard (DSS) Version 3.1 and noted that the technologies can no longer be used after June 30, 2016. Payment system stakeholders from around the world expressed concerns that the implementation deadline was too aggressive, would significantly affect annual PCI DSS re-validation efforts and negatively impact business practices. Read More | For the PCI SSC Migration Resource Guide, Click Here.

“Kuhook” Point of Sale Malware
Kuhook (from the ModPOS malware family) is a variation of malware targeting Point of Sale (POS) systems designed to run on Microsoft Windows. It utilizes keylogger and memory scraping/parsing functionality. The malware is suspected to be privately owned and used, meaning that it is not currently distributed through online criminal forums and therefore is not known to be widely available. To date, Visa has observed the malware on two previous occasions but we are not aware of any current victims of Kuhook at this time. However, we believe with high confidence the malware will be modified and used to target additional merchants and other entities processing payment card data. Read More

Acquirers Must Ensure Small Merchants meet New Data Security Program Compliance Requirements
According to recent forensic investigations, small merchants remain targets of hackers who are attempting to compromise payment data. As part of an effort to secure the payment system and mitigate the risk of small merchant compromises, Visa is establishing requirements for acquirers to ensure that their small merchants take steps to secure their point-of-sale (POS) environment. Read More

Windows Server 2003 End of Life

Cybercriminals Targeting Point of Sale Integrators

“RAWPOS Malware Targeting Lodging Merchants
The “rawpos malware is a memory scraper infecting global lodging merchants at an alarming rate. Variants date as far back as 2008, and it is one of the first known memory scrapers to target Point of Sale (POS) systems. Typically clustered in three files, there is no standard infection method for this malware. Of particular note with recent samples is a logic bomb that does not function outside the timing parameters. Adherence to PCI-DSS 3.0 should mitigate this malware. Read More

PCI SSC Bulletin on “GHOST” Vulnerability


2014 Alerts

Black Friday is for Sales Not Criminals

“Shellshock” (Bash) Vulnerability
The Financial Services Information Sharing and Analysis Center (FS-ISAC) recently reported on “Shellshock, a newly discovered security vulnerability in Unix-based operating systems such as Linux and Apple’s Mac OS X.

Insecure Remote Access and User Credential Management 

OpenSSL ˜Heartbleed’ Vulnerability 

Whitepaper – Windows XP’s End of Life
This Visa-produced whitepaper is a piece that can be used when communicating with your customers, as it reinforces advice you provide on the urgent need to upgrade to an actively supported operating system.

“Chewbacca” POS Malware

Retail Merchants Targeted by Memory-Parsing Malware – Update

Mitigating Large Merchant Data Breaches
Authors: Tia D. Ilori and Ed Verdurmen