WSJ: Visa Issues Cash-Register Flaw Warning

The U.S. arm of credit and debit card giant Visa International has issued an alert for flaws in cash-register software made by Fujitsu that puts cardholder information at risk.

The U.S. arm of credit and debit card giant Visa International has issued an alert for flaws in cash-register software made by Fujitsu Transaction Solutions that could put sensitive cardholder information at risk.

According to a report in The Wall Street Journal, the bug can cause the inadvertent storage of customer data—including secret PINs—within the point-of-sale software installed in retail locations.

The report said Visa USA sent the warning to "merchant acquirers" that process card transactions for some of the biggest names in retail and urged users to apply a software upgrade from Fujitsu to fix the flaw.

Officials from Visa USA and Fujitsu could not be reached for comment at press time but, according to the newspaper, the confidential alert was sent several days ago to raise awareness about the bug.

A Fujitsu spokesperson quoted by the Journal denied the software was being used in data theft attacks and disagreed with Visas decision to issue the warning. "There is no incident that Im aware of. There is no breach of anything," the spokesperson said, noting that the software in question, which was not identified, doesnt allow retailers to store sensitive customer information. Instead, he said other tools can be installed and linked to the Fujitsu software that could permit the tracing or storage of sensitive, encrypted data.

According to a recent research report by Gartner analyst Avivah Litan, retailers in the United States incorrectly store PIN information and data on point-of-sale terminals instead of destroying the data as required by card industry guidelines.

Although the data is encrypted into PIN blocks, Litan explained that the decryption keys are usually stored on the same network, meaning that a malicious hacker can break into a computer system and steal thousands of PINs tied to sensitive customer information.


Ziff Davis Media eSeminars invite: Learn how to proactively shield your organizations against threats at all tiers of the network. Symantec will show you how, live on March 21 at 4 p.m. ET. Sponsored by Symantec.

Litan believes that this type of reckless PIN storage is the root cause of a recent ATM fraud attack that targeted Citibank customers.

Earlier this month, Citibank confirmed it was blocking some customer transactions in Canada, the United Kingdom and Russia because of fraudulent transactions stemming from a past security breach affecting Citibank customers.

The bank shut off the cards after finding fraudulent ATM cash withdrawals on Citibank-branded MasterCard credit and debit cards in those countries and said the transactions are linked to accounts that may have been compromised in a security breaches at unnamed "retailers in the U.S."

In February, Bank of America, MasterCard International and Visa all informed banks that a security breach at a U.S. retailer had exposed some customer accounts.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.