This article is intended for distribution via print or PDF to restaurants that have been suspected or designated as a Common Point of Purchase (CPP) by their Merchant Service Processor (MSP), Independent Sales Organization (ISO), Federal Law Enforcement (USSS or FBI) and/or one or more Credit Card Signature Brands (Card Brands). The language and perspective of this article expects that the reader is the Merchant entity who has been designated a CPP and therefore should be read as such. Furthermore, this article is the recommended best practice by Focus POS California. The Merchant entity is required to follow all remediation procedures as designed by their MSP, Federal Law Enforcement and/or Card Brands as per the terms of their Merchant Processing Agreement. Any procedures provided by the afore referenced entities that override the Best Practice Recommendations below are considered overruling and must be followed. Lastly, it is the Merchant entities responsibility to ensure compliance with all Payment Card Industry Security Standards Council (PCI-SSC) mandates, rules & procedures. Focus POS California can provide guidance and assistance to Merchant entities requiring help with following mandates, rules & procedures.
If contacted by one of the above defined entities, it is required by your Merchant Processing Agreement to follow their instructions and procedures. For the purposes of this Best Practice Recommendation, we'll use the term Notifying Entity (NE) as an identification for the entity above that has notified you of that you're a CPP.
How did this happen?
The most common question once you've been designated a CPP is how did this happen? It's important to understand that your FOCUS software most likely has not been hacked, breached or cracked. The FOCUS software is designed in such a way that the cardholder data that is contained within the system is encrypted using beyond-industry standard encryption methods. Further, FOCUS is validated by the PCI-SSC on a regular basis to make sure we comply with all industry best-practices for safeguarding cardholder data.
The most common way for a business to be designated a CPP and to have cardholder data leaking is via "malware" that has been installed on the operating system of their POS terminals. Malware can be introduced via several different ways, and in some cases, completely innocently. For example, malware can be transmitted via an email. If you have an office computer and opened an email with an attachment, or clicked on a link it's possible that malware could have been introduced to your network and traveled it's way to your system. Another, newer, but just as efficient way of getting malware on your system is having that malware present on susceptible smartphones, plugging that smartphone into your system to charge, and having the malware transmitted into your system. The point is, there are multiple ways that malware could get into your system, and in the end there is only so much you can do to mitigate it.
What do I do now?
The below is a summary of recommended best practices broken into stages that tend to conform to the PCI-SSC Procedures for Breach Remediation.
- Ideally you will be provided a date range from NE and some suspected card numbers. Using that information, you'll want to confirm that those card numbers were used on your system during that date range.
- Use the FOCUS Check Viewer to search for the date range and last four digits of the card number to make this confirmation.
- If checks are founds in your system matching the provided card numbers, it is likely that you are a CPP and should proceed on to the next step.
- If checks are not found in your system, this indicates that your system did not transact these cards. You should provide this information back to your NE that your system has no evidence of these cards being transacted and request more information from them.
- Once you've confirmed that you are a CPP, the most important step is to verify containment.
- Containment is the act of securing your system and making sure that no additional card data is being leaked out of your system.
- Containment, while an important step, can also be challenging.
- The quickest way, and our Best Practice Recommendation, to verify containment is to replace the solid state drives (SSDs) on your FOCUS Workstations with freshly imaged & configured drives.
- See the malware that is residing on your system and leaking the cardholder data is really software that is installed in Windows on those SSDs. But replacing those SSDs with fresh ones, that software goes away.
- The other advantage of replacing the SSDs is that the old SSDs can be retained in an undisturbed condition and therefore, if requested, can be provided to the NE.
- There are alternative ways to verify containment beyond the above Recommendation. Contact the FOCUS Helpdesk to discuss alternatives. Please bear in mind that alternative ways to verify containment are likely going to be more costly that the Recommendation above.
- In the letter or communication that was sent to you by the Notifying Entity, there may be a line about Implementing a Firewall with Strict Inbound and Outbound Filtering. If your Notifying Entity is making this suggestion, FOCUS can assist by implementing a FOCUS SecureSite Router. Contact the FOCUS Helpdesk for more info about SecureSite.
- After containment has been verified, the next step is to Resolve the problem. Since our Recommendation for containment is to replace the SSDs that contained the malware, that step in and of itself will resolve the leak.
- If alternative containment methods are used, there may be additional steps needed to resolve the leak including enhanced virus & malware scans, network modifications, equipment modifications and/or intrusion scans.
- Moving Forward
- After your restaurant has been designated a CPP and you've followed the Identification, Containment & Resolution steps you are in a position to move forward and continue on with business.
- While it may not feel like business-as-usual it typically is. Data leaks and breaches happen every day to companies. Most of these companies are much larger than your average restaurant and have extensive IT departments and Information Security departments in place to manage their systems.
- One way to make sure a problem like this doesn't happen in the future is to take your POS System Out of Scope.
- Out of Scope is a term used in the industry to say that the payment processing component of your POS System is not within PCI-SSC's wheel house since cardholder data does not pass through your system in an unencrypted format
- Over the past few years, there have been significant advancements in making it easy for you to move your payment processing component to be Out of Scope.
- In some scenarios, making this change will not directly impact how you use your FOCUS system in any way.
- While in other scenarios, moving to an Out of Scope payment processing component may allow you to start accepting chip cards, Apple Pay, Google Pay and other modern digital payments.
- Your FOCUS Solution Consultant or the FOCUS Client Operations Team can provide more info on moving to an Out of Scope payment component.
- For those of you that are more technical - the FOCUS Out of Scope solution includes the installation of P2PE payment devices, be it a P2PE MSR or a P2PE Adjunct Payment Terminal. Costs for these P2PE devices differ based on several variables and your FOCUS Solution Consultant or the FOCUS Client Operations Team can provide more info.
- If your restaurant is on FocusPayments and is not already setup with an Out of Scope Payment Component, a quick call to the FOCUS Client Operations Team can get that set up for you. Clients on FocusPayments can be upgraded to an Out of Scope payment component at no additional charge.