August 4, 2015

Don’t Fall Victim to Malware

Don’t Fall Victim to Malware

Malware attacks have become increasingly common for merchants who process payments using remote-access systems, according to a recent alert from the Financial Services Information Sharing and Analysis Center (FS-ISAC). In the past year, there has been a significant increase in reports of malware that invades point-of-sale (POS) or property management systems (PMS) and creates a back-end channel, allowing hackers to steal sensitive cardholder data. We recommend that our merchant customers review the full alert to view the full list of recent malware families.

The security alert was a joint effort between the FS-ISAC, the Retail Cyber Intelligence Sharing Center, and the United States Secret Service, with the support of Visa.

In the alert, the FS-ISAC also provided merchants with a list of recommended security measures to ensure that their remote-access payment processing systems are more secure. Hackers typically seek out the “low-hanging fruit” of merchants with weak security systems in place. With a few quick actions, you can make your environment much less vulnerable to malware attacks. Please take note of the following recommendations and make the necessary changes to stay protected from new and evolving security threats.

Login Information

  • Use a multi-factor authentication process. Appendix C of the alert provides detailed instructions for setup.
  • Evaluate and limit the number of third parties who have access to your system.
  • Regularly change login credentials, especially around the holidays.
  • Encourage those who have system access to create complex passwords.
  • Avoid using outdated operating systems that no longer receive updates, such as Windows XP.
  • Enable account locking after multiple failed login attempts.
  • Monitor and report suspicious login activity.

System Access

  • Restrict all Internet access that is not directly related to the essential functions of the POS or PMS.
  • Employ up-to-date firewall, virus protection, and intrusion-prevention systems.
  • Do not rely solely on anti-virus software, as hackers are able to make some malware undetectable.
  • Do not allow external media devices, such as USB drives, to be connected to the terminal.

Shift4 Further Protects You From Malware
In addition to the precautions listed above, the FS-ISAC recommends that merchants employ tokenization and point-to-point encryption (P2PE) to further protect their card data from hackers. Shift4’s DOLLARS ON THE NET® payment gateway provides merchants with unmatched security services, including:

  • TrueTokenization® – Shift4 invented payment data tokenization and was the first company to introduce a tokenization solution to the market. TrueTokenization replaces credit, debit, and gift card transaction data with a randomized, alphanumeric value that is impossible to replicate and meaningless if stolen.
  • True P2PE – Our P2PE solution encrypts card data at the point a payment card interacts with a payment device, so that sensitive cardholder data never enters your system in the first place.


These solutions, along with our full suite of security options, including 4Go®, i4Go®, and 4Res®, provide the best possible protection against data theft for any card-present or card-not-present merchant environment. Even if your system were to become infected with malware, there won’t be any data there that is valuable to hackers. After all, They Can’t Steal What You Don’t Have®.

To learn more about how Shift4 can help secure your environment, contact our Customer Support team at [email protected] or 702.597.2480 (option 2).