Skip to main content

"Backoff" Update -- More Widespread, PCI Council Issues Call to Action -- If You Accept Credit Cards Via Point-of-Sale, You Need to Read This

Written by Cynthia Larose

Some weeks ago, we wrote a piece "What You Need to Know About Backoff Malware:  The New Threat Targeting Retailers" .   It's apparently gotten worse.   Any business utilizing point-of-sale (POS) terminals for "swiping" credit cards needs to pay attention to this threat and assess vulnerability.  Hospitals, physicians' offices, veterinary clinics,  colleges and universities, municipalities -- everyone -- not just retailers.    Read on.

Since our piece was published, it has become known that the Backoff malware or one of its multiple variants has been responsible for over 1,000 breaches of credit card information, including the Target mega-breach and two of the most recent, Supervalu and United Parcel Service.    In fact, the fear is that is it so widespread, that the Department of Homeland Security and the US Secret Service issued a warning to retailers -- regardless of size -- to check their POS systems.

Now the Payment Card Industry (PCI) Council has weighed in with a statement strongly urging companies -- "as a matter of urgency" -- to take steps to examine POS systems.   Retailers should ensure that they have the most up to date versions of antivirus software installed to detect "Backoff" and run the solution immediately.   If you rely on service providers, ask.  Do not "rely" on the third party service provider to manage without oversight.   The PCI Council also suggests that retailers review all system logs for strange or unexplained activity, especially large data files being sent to unknown locations.   Requiring all default and staff passwords on systems and applications to be updated and providing good guidance on choosing a secure password set to current standards are also recommended.  The key message here is that merchants should be taking charge -- remember:  you can outsource the process or the support functions, but you cannot outsource the liability.   Retailers -- or any entities accepting credit cards -- are the "merchant of record" and the last line of defense between the hacker and the customer's credit card.
According to the PCI Council statement:  "Attacks of this kind underscore the critical importance of a multi-layered approach to payment card security that addresses people, process and technology," said the council in a statement. "PCI Standards provide layers of defense to ensure businesses can prevent, defend and detect attacks on their systems. A daily coordinated focus on maintaining these controls—making payment card security a business as usual practice—provides a strong defense against data compromise."

Regarding malware specifically, organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard (PCI DSS) 3.0:

Proper firewall configuration – Requirement 1

Changing vendor defaults and passwords on devices and systems – Requirement 2

Regularly updating anti-virus protections – Requirement 5

Patching systems – Requirement 6

Limiting access and privileges to systems – Requirements 7, 9

Requiring 2-factor authentication and complex passwords – Requirement 8

Inspection of POS devices – Requirement 9

Monitoring systems to allow for quick detection – Requirements 10, 11

Implementing sound security policies for preventing intrusions that may allow malware to be injected – Requirement 12


PCI DSS standards provide layers of defense to ensure businesses can prevent, defend and detect attacks on their systems. The PCI Council advises that daily coordinated focus on maintaining these controls, making payment card security a business as usual practice — provides a strong defense against data compromise.

Reliance on and managing third party provider access remains a challenge for organizations, stated the Council.  Merchants should reference guidance recently published by the PCI Council's Special Interest Group which outlines a plan for managing risk and securing data -- in advance of a liability shift which comes into play next year.  Find discussion of that report here.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.