Tracer Utility Is Likely Culprit In Visa’s Fujitsu POS Security Alert
Written by Evan SchumanA commonly used testing utility is apparently behind the security alert that Visa issued late last week claiming Fujitsu retail point-of-sale software may have a problem.
Shortly after Visa?the owner of the world’s largest electronic payments network?issued an alert warning retailers about security problems with POS software issued by Fujitsu Transaction Solutions, Fujitsu officials said the alert was inappropriate.
“I think the Visa alert that was put out was somewhat misleading” in that it implied all Fujitsu POS software has problems, said Ed Soladay, the FTS’ chief operating officer. “It was not fully correct in the way they put things” in the confidential advisory.
Soladay said?and a Visa official later confirmed?that the problem was not with the core POS package that Fujitsu sells to retailers, but with a free tracer utility that many POS packages include.
The utility’s purpose is for internal testing of the credit card transaction process and to help with identifying problems during installation and maintenance. It is intended “to be used in trials to fix any bugs that can possibly come up,” Soladay said.
Soladay said Fujitsu instructs retail customers to be very conservative in how they use the utility. “When they do use these, they don’t use them for very long,” he said, adding that he tells retailers that it is especially critical that they “don’t use it in a live environment for very long.”
The concern is that such a utility could capture confidential credit card information, in violation of Visa retail security procedures, Visa said.
Visa issued a statement March 17 explaining its confidential advisory and summarizing its concerns.
“In instances where any point-of-sale software or modification of it has a potential to put cardholder data at risk, Visa issues alerts to its member financial institutions so that they can take action to prevent the storage of such data,” the Visa statement said. “In this instance, we provided a confidential alert to a limited number of financial institutions advising them that a particular configuration of certain software could cause it to store cardholder data. We further advised them of the existence of a software upgrade designed to address the problem.”
What is less clear is how the situation came to Visa’s attention, as both Visa and Fujitsu say that they are not aware of any security breach or data theft associated with this incident. One Visa official said it might have become known when a retailer using the utility engaged in a required security audit and that audit noted the potential problem.
A story about the incident in the March 17 edition of The Wall Street Journal said the Visa memo identified the Fujitsu software in question as RAFT and GlobalStore.
Soladay said the memo was so specific as to the version of the software used that it had identified the retailer involved because only one customer was using that software, he said.
“They listed a particular software version that is only installed” at one unidentified chain, Soladay said. “I think they picked on one client that is using our tracing utility in a live environment.”
Soladay put much of the blame on the retail chain, saying that it’s not Fujitsu’s fault “if someone chooses to download a utility” or “make use of any utility that we provide.”
Soladay added that Fujitsu sometimes will provide a copy of the TraceMon utility to customers who ask for such a utility. That apparently happened with this retailer, according to Soladay and someone working with Visa who asked that his name not be used.
The utility’s use in a live environment could “store inappropriate data,” said the Visa official. “That’s the thing that the hackers are looking for.”
“Every retailer uses logging in a different manner” and it can allow for “the retention of the full track data,” which would include information that Visa prohibits being stored, Soladay said.
Visa said that a Fujitsu upgrade addressed the situation but that the customer?at the time?had not deployed the upgrade.