When you say "almost 18 months"
Do you mean 17 months by any chance?
US chain Rosen Hotels & Resorts has become the latest to confirm a malware-based breach of its payment processing systems. The breach covered an extended period between September 2, 2014 to February 18, 2016 - or almost 18 months. The unauthorised access was tied to certain locations, primarily at its restaurants. While Rosen …
Why are POS even getting this info? Assuming by POS they mean the actual till, then there is no reason for it to even receive the full card details. It's simple, the till sends the total value to the card terminal, which sends back an authorisation code and maybe the last 4 digits of the card, to print on the receipt.
If the card readers have been infected, then that raises more concerns over how something like that can be accessed. It should only be able to be updated by physical connection, preferably using proprietary connectors tucked away inside the casing. Add to that a pin code to be entered with an engineers card inserted, to put it into maintenance mode, otherwise it is bricked. Out of maintenance mode, phone home to confirm the update.
You are making the common mistake of assuming cards in the US are chip enabled. The majority are still not and even those of us who have chip-enabled cards never use them in that setting because the terminals have not yet been upgraded. I have yet to use any of my chip-enabled cards in that mode in the USA.
I stay at hotels throughout the US for work (multiple times monthly) and the POS terminals still all use the mag stripe. I also get my primary business card cloned 3 or 4 times a year (presumably because of that).
Other observation is that marriott, hilton, and sheraton have all been breached. As soon as Holiday Inn get pwned (may have happened already), that will be all of the business hotel chains in the country.
In addition, in the US if the vendor needs to challenge the challenge from a user, you need full details on the purchase. Yes you are legally obligated to destroy the data after 90 days (maybe down to 30 if they've sped up the dispute resolution process, but it was 90 when I worked on it), but until then you need the full card data.
We are living in the digital age and failure to properly secure any commercial or governmental computer systems is simply unacceptable and grounds for prosecution of those who are negligent in providing the proper digital security for their operations.
Biting the hand that feeds IT © 1998–2019