A new type of malware, which disguises itself as a service pack for remote connectivity software service LogMeIn, steals payment card data from point-of-sale (POS) systems, according to researchers at Forcepoint Labs.
The researchers spotted the malware – dubbed ‘UDPOS’ – after noticing that the service pack generated many unusual DNS requests. They haven’t been able to confirm whether the malware is currently being used in the wild, but warned that the likely targets would be fixed and mobile POS terminals in hotels and restaurants.
This choice of target shouldn’t be a surprise, as cyber crime is a copycat industry and criminal hackers have had a lot of success attacking hotels and restaurants recently. Arby’s, Shoney’s, Select Restaurants, Sonic, and Chipotle all reported POS breaches last year, and Hyatt, InterContinental, Mandarin Oriental, Hilton, Kimpton Hotels, Trump Hotels, and White Lodging are among the hotel chains to acknowledge card breaches.
How to avoid POS breaches
If your organization accepts card payments, you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It outlines best practices for everything from data encryption to network segmentation, helping you prevent payment card data breaches. However, even though poor security leads to reputational damage and the threat of fines or other enforcement actions, many merchants are not fully compliant.
You might think your organization meets the PCI DSS’s requirements, but maintaining compliance can be tricky, so you should frequently review your compliance posture.
Documenting your policies on the PCI DSS shows your commitment to compliance and helps you protect sensitive information.
Our PCI DSS Documentation Toolkit can help you create those policies. It provides PCI-compliant tools and enables you to quickly and easily create your documentation, so you can produce a robust system to protect your payment card data.
This toolkit contains a complete set of easy-to-use, customizable, and fully PCI-compliant documentation templates, including:
- PCI DSS Charter
- PCI DSS Compliance Program
- Operational Security Policy Statement
- Cryptographic Key Management
- Cardholder Data Policy Statement
- Helpful gap analysis and project tools to achieve complete coverage of the Standard
- Guidance documents
- PCI DSS staff awareness training