CONTINUE TO SITE »
or wait 15 seconds

News

PCI Security Standards Council: Beware of 'Ghost'

The warning follows a US Department of Homeland Security alert about a critical software vulnerability that poses a serious risk to computer systems.

February 2, 2015

The United States Department of Homeland Security is warning organizations about a critical software vulnerability called "Ghost" that poses a serious risk to computer systems, according to a PCI Security Standards press release.

The United States Computer Emergency Readiness Team, a division of DHS, says that Ghost affects Linux GNU C Library versions prior to version 2.18. Hackers can exploit this vulnerability through the remote execution of code that allows them to take control of a system and potentially delete files, install malware, and carry out any other activity made possible with stolen credentials.

In the release, the PCI Security Standards Council recommended several actions aimed at identifying and mitigating the potential threat posed by Ghost to the security of sensitive payment card data:

  • work with IT departments and partners to identify servers, systems, and appliances that use vulnerable versions of glibc.
  • organizations that are running vulnerable Linux versions should:
    •  review recommendations outlined in Vulnerability Note VU#967332.
    • work closely with IT departments, providers and partners to obtain the appropriate patch (all Linux distribution vendors have patches available to address this vulnerability).
  • implement the patch as soon as possible.

To address this type of risk going forward, the release said, organizations should ensure proper implementation of security risk mitigating controls outlined in PCI Data Security Standard 3.0, specifically:

  • review public-facing web applications via manual or automated application vulnerability security assessment tools or methods, such as a web application firewall, to ensure that these applications are protected against known attacks. (PCI requirement 6.6);
  • patch vulnerable systems and conduct quarterly vulnerability scans to determine if appropriate patches are properly installed and effective. (PCI requirements 6.2,11.2);
  • monitor systems for malicious and abnormal activity and update signatures for intrusion detection and prevention systems. (PCI requirements 10, 11);
  • review third-party service provider relationships, including access to devices and systems, and specifically remote access from outside an organization's network; ensure that partners are addressing all known vulnerabilities (PCI requirements 8, 12).

The PCI SSC release said that a multilayered approach to payment card security addressing people, process and technology is critical in detecting and protecting against emerging attacks and vulnerabilities such as Ghost.

Additionally, the council recommended a daily coordinated focus on maintaining the controls outlined in the PCI Standards — making payment card security a business as usual practice — provides a strong defense against data compromise. 

The release included links to official US-CERT websites that provide further details:

Vulnerability Note VU#967332

United States Computer Emergency Readiness Team Alert

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
Replacing the ATM: Pros and cons of new vs. remanufactured
Romanian man arrested for alleged cash trapping ATM scheme
First National Bank to open 30 branches
U.S. Bank resumes crypto custody services


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'