Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies

DEFENDING AGAINST POS RAM SCRAPERSCurrent and Next-Generation Technologies Numaan Huq Forward-Looking Threat Research Team TREND MICRO LEGAL DISCLAIMERThe information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes.Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition.CONTENTSIntroduction ...............................................................................................iiWhat We Know About PoS RAM Scrapers so Far ..............................1How Pos RAM Scrapers Work ............................................................2Points of Entry .................................................................................2Lateral Movement ............................................................................5Data-Exfiltration Techniques ............................................................5How Data Security Standard Compliance Helps Protect Against PoS RAM Scrapers .............................................................................7PCI DSS ..........................................................................................7PA DSS ............................................................................................8Third-Party Vendor Access Issues ...................................................9Defending Against PoS RAM Scrapers .............................................10PoS Defense Model .......................................................................10Defensive Technologies and Strategies.........................................10Defense Recommendations for Companies ..................................19Security Strategy Decisions .......................................................19Recommendations for Small Businesses ..................................20Recommendations for Medium-Sized Businesses ....................21Recommendations for Enterprises ............................................22Will Next-Generation Payment Technologies Help? ..........................23EMV ...............................................................................................23Contactless RFID Credit Cards .....................................................25Mobile Wallets ...............................................................................26New Payment-Processing Architectures .......................................27Encryption Plus Tokenization .....................................................27Secure Element .........................................................................28Conclusion ...............................................................................................iiiReferences ..............................................................................................iv INTRODUCTIONIn light of ongoing data breaches involving the compromise of point-of-sale (PoS) systems, everyone is asking two questions—“How do we better protect PoS systems from attacks?” and “What new technologies are being introduced to better protect them?”Stealing payment card data