RE: “KUHOOK” POINT OF SALE MALWARE

Please read the Visa Security Alert linked here: Visa Security Alert 12 2015

Visa has observed criminal malware aka “Kuhook” designed to steal card holder payment data from point of sale (POS) systems still running the Microsoft Windows XP operating system.  Microsoft retired Windows XP Professional April 2014 and will soon retire Windows XP Embedded January 2016.

Kuhook is some of the most sophisticated and difficult to detect payment card stealing malware Visa has ever seen.

Credit Card Compliance Data Security Standards section 6.2 requires that critical systems be patched and updated to protect against known vulnerabilities, and because this is not possible to do with a retired Microsoft operating system, such as Windows XP,  hackers are taking full advantage and targeting businesses that continue to run these obsolete operating systems.

Here is a link to the PCI Data Security Standards: PCI Data Security Standards 3.0

It’s not worth the risk to roll the dice and hope for the best.  Data breaches continue to be on the rise and are detrimental to businesses that have been identified as a “Common Point of Purchase” of stolen card holder data.

It’s best to comply with the PCI Data Security Standards in regards to keeping critical systems updated. If your business is in a payment environment processing sensitive card holder data and is running a back office computer or touch screen terminal with a retired operating system that cannot be patched or updated to protect against known vulnerabilities, your business is not only failing to meet PCI Data Security Requirements, but is also at serious risk.  Please contact your POS provider as soon as possible and plan a strategy for a successful upgrade path.

Q: How do I know my Business is at Risk?

A: If your business is processing credit cards by swiping cards and/or typing in card numbers on a touch screen computer or back office computer running the Microsoft Windows XP Professional (or older) operating system after April 2014.

A: If your business is processing credit cards by swiping cards and/or typing in card numbers on a touch screen computer or back office computer running the Microsoft Windows XP Embedded (or older) operating system after January 12th 2016.

Please contact your POS provider if you are uncertain which operating systems your payment applications are running on.

RE: INSECURE REMOTE ACCESS AND USER CREDENTIAL MANAGEMENT

Please read the Visa Security Alert linked here: Visa_Security_Alert_070114

Visa has recently observed an increase in malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments and ultimately, payment card data.  These attacks are suspected to have occurred as a result of compromised username/login credentials combined with remote management software exposed to the Internet.

The takeaway lesson learned here is not to use “off the self” remote access programs such as LogMeIn, TeamViewer, etc to remote into a payment environment processing credit card transactions.  Intruders are using these programs to gain access to your system.  

Here is a link to a recent article where a restaurant chain was potentially hacked using the LogMeIn account.
http://pciguru.wordpress.com/2014/07/01/the-flaw-in-requirement-8-5-1/

Only use remote access tools that use two-factor authentication.  Here is an example:  When remote accessing your payment processing computer, the first step would be to type in your username & password.  This is the first factor.  The second factor would then be prompted to type in a temporary pin number that is sent to your cell phone via a text message.  This pin number is unique and will expire in a matter of minutes and cannot be used again.  Once you type in the pin number, only then are you in.

Part of Credit Card compliance requires the remote access program to use two-factor authentication.  JCR Systems offers two-factor authentication and includes it with our support plan at no additional cost.  If you are not using our tool, please contact us for assistance.

If you are using a remote access tool such as LogMeIn, TeamViewer, etc, that is not using a second factor to gain access, such as a temporary pin number, this Visa Alert explains the risk for malicious remote access activity.  Please uninstall these programs immediately and contact us for assistance.

In past decades this was the norm, but in recent years they are no longer in the best business practices category because they present a weakness to key loggers and skimmers designed to intercept what is typed in.  If credit cards are swiped through a keyboard wedge emulation card reader, the card holder data encoded on the black magnetic stripe can be sent directly to the key logger or skimmer.  Data Security Breach!  New terminals with built in encrypted card readers are the best way to go to help prevent your customer’s card holder data from being compromised as it’s swiped.

If you are not sure if your card readers are the old keyboard wedge style or not, it’s easy to find out.  Simply plug a keyboard into your terminal and if it’s running a Windows operating system bring up Windows Notepad (or Wordpad or Word).  With the cursor blinking in Notepad type something in using the keyboard and you should see what you are typing in.  Now pull out your credit card and swipe it on the terminal’s card reader.  Upon swiping your card, if you suddenly have a lot of data appearing in notepad, that is your credit card data that is encoded on the black mag stripe on the back of your card.  Time to retire and replace the point of sale terminal with a new generation terminal running an encrypted card reader.

Though these old school card readers are still being manufactured today, best business practices is to use an encrypted card reader, or one with a different interface such as serial that requires special software drivers to properly interface and work with the point of sale software application.

A recent event happened with a retailer’s store in Florida where they found the skimmers the thieves installed on their pos terminals.  You can read the article here Posted October 13th 2013: http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-skimmers/

We create customers for life

We are different. We are probably not the low price POS provider. We also do not try to be.

But we 100% guarantee our hardware, software and support.

There are absolute places where we are providing different ways to get you the support that you need – to get you the actionable data that you need – to get you the hardware and software that you need.

But over a five year analysis – we are confident that you will spend less money on buying replacement equipment, on-going support, training service, programming services than you will with the other guys

In our world:  We will never knowingly disappoint you. We value you as a customer. We charge a fair price for excellent systems backed with world class support. We use cutting edge technology to lower our business costs and pass those savings back to you.

We create customers for life. Seriously. We believe in a WIN-WIN relationship. We have unique ways to get the system that you need today to you today and allow for the cash flow that it generates to pay for the system

Real time information is really a difference in the way that a restaurant can profitable operate today.

Technology is changing in a rapid fashion. It has revolutionized the hospitality industry.

Allow us to show you ways to take what you have and what you know and move them into the future.

Little or no downtime. No massive retraining of owners, managers, staff and accountants.

Workstations that are supportable by us for the next 10 years.

Ability to significantly lower your credit card costs yet maintain and achieve the highest level of security and customer trust.

Bottom line: There are vast difference in what JCR Systems can do and what you currently have.

JCR Systems does not want you to make a mistake where you will need to purchase another system long before it is time. We believe in customers for life.

Michael Darby 904-296-8200 ext 210
mailto://mdarby@jcrsystems.com

JCR Systems is the certified Hospitality partner for the Northeast Florida and Southeast Georgia markets.
We have installed over 500 locations with systems to lower their costs, increase their margins and directly and positively impact our customer’s bottom lines.

JCR Systems has been the Aloha representative for over 15 years. During that time Aloha – a software company was purchased by Radiant Systems out of Alpharetta, GA. Radiant Systems is very strong in the hospitality table service, quick service, specialty retail, convenience store vertical markets. Radiant Systems also manufactured their own line of PC based workstations that are designed with the software in mind.

In 2011 – NCR Inc, purchased Radiant Systems. Aloha has now become part of the global leader in technology designed for retail and hospitality customers.
The acquisition has tremendously helped the Aloha brand in today’s rapidly changing technology landscape.

There is a huge push for all things mobile. We have solutions for that. Solutions that focus on mobile solutions for guests, for managers, for owners, for support staff.
Technology is rapidly changing. We are in a position – as the industry leader – to know where the industry is moving and be able to provide research and development along these lines.

Our integrated products are well designed for today as well as the future. You are not buying yesterday’s technology.
Your investment in a system from JCR Systems is safe. NCR is a strong and stable company and rapidly developing tomorrow’s products and delivering them today.

Imagine the world 5 years ago. No iPhones. No androids. Very much a pc based world. Information stuck in a computer. How do you as an owner/manager access that information?
Now think about today and being able to get the information you need – when you need it – from wherever you are. The quality of business decisions simply increase exponentially.

Now think about where you will be in five years. Can the system that you invest in today get you there?
Are you going to use today’s technology – or yesterdays? How are you going to get to the future.

Michael Darby 904-296-8200 ext 210
mdarby@jcrsystems.com

What happens when – you lose internet access? Are you still able to take credit cards? Does your system operate at all?

What happens when – your back office computer crashes? Do the other workstations keep working? What functionality do you lose?

What happens when – you sign up for “free pos”? How long is the contract? Is it for 5 years? What happens if you don’t like the system or the service? How much does it cost you to get out of a “free pos” contract?

What happens when – you sign up for “free gift cards”? Are you tied to a particular credit card processor? What will they charge to move you? Who owns your gift card data?

What happens when – one of your computers breaks? Who fixes it? When? For how long is it covered? What do they fix? What happens when something else breaks shortly after? Who has the parts? Do they have the right part the first time?

What happens when – you want to switch credit card processors? Are you locked into one particular processor?

What happens when – something happens at night or on a weekend? Is there an answering service? Are you speaking directly with a technician? Is the technician able to remotely diagnose and support you?

What happens when – you want your reports and business alerts on your iPhone or Android device? Are you able to see up to the 15 SECOND look at your business? Able to see all of your locations? Be automatically notified of significant comps/voids/promos/exceptions?

What happens when – customers want to order online? Is it a truly integrated solution? Direct to the restaurant’s POS? One credit card batch? Easy to manage and implement? Or does it simply send an email or fax to the restaurant that someone then needs to reenter into your system – duplicate data entry?

What happens when – customers are allowed to pay from their smartphone? Will you see the 7% faster table turns and the 10% higher check averages that other restaurants have seen that have implemented this solution?

What happens when – customers can provide instant feedback on a item by item basis – both good and bad – while still in the restaurant? Would you be able to correct service issues immediately? Be able to identify and correct bad feedback instantly – be able to be alerted and visit the table and solve their dining concerns? Before it gets on Facebook or Yelp?

What happens when – you want to consider iPads for servers? We have them. We also have purpose built handheld devices capable of running an entire shift on one battery, plus be able to survive a drop on the floor – even a submersion into water – (but it is not designed as an underwater POS device.)

What happens when – you hire a new employee? How much time does it take them to get up to speed? Is your POS too complicated?

What happens when – you need to talk about hospitality POS. Give Michael a call. 904-296-8200 ext 210

Michael Darby
mdarby@jcrsystems.com

The positive coverage is no surprise as it echoes the feedback we have received from our customers, and the rigor of their analysis has confirmed many of the findings we have known through customer anecdotes. In summary:
• Restaurant Guard has a meaningful impact on restaurant operations by both stopping theft and improving productivity.
• The decrease in theft is due to Restaurant Guard improving employee behavior, so that existing employees perform more honestly rather than swapping out dishonest employees.
• The research team quantified additional impact (beyond theft prevention) of ~7% increased revenue through improved productivity as good employees stop stealing and, in order to maintain their income, improve performance to sell more and earn higher tips.
• This productivity increase is largely in higher-margin items like drinks, and the revenue increase is almost entirely profit since the restaurants were already absorbing the labor and food cost.
• Importantly, Restaurant Guard’s impact is not just a short term improvement and the results are sustained over time.

Read the full article here
http://nyti.ms/18HRDKI

Michael Darby
mdarby@jcrsystems.com

In this Newsletter

• MasterCard Unique Terminal ID Requirement
• Healthcare Requirements Coming in 2015
• P2PE Reduces the Risk of Cardholder Data Breaches
• PCI PA-DSS Status of NCR Aloha Payment Applications
• Is a ZIP Code Considered “Personal Identification Information”?