Tracer Utility Is Likely Culprit In Visa’s Fujitsu POS Security Alert

Written by Evan Schuman
March 20th, 2006

A commonly used testing utility is apparently behind the security alert that Visa issued late last week claiming Fujitsu retail point-of-sale software may have a problem.

Shortly after Visa?the owner of the world’s largest electronic payments network?issued an alert warning retailers about security problems with POS software issued by Fujitsu Transaction Solutions, Fujitsu officials said the alert was inappropriate.

“I think the Visa alert that was put out was somewhat misleading” in that it implied all Fujitsu POS software has problems, said Ed Soladay, the FTS’ chief operating officer. “It was not fully correct in the way they put things” in the confidential advisory.

Soladay said?and a Visa official later confirmed?that the problem was not with the core POS package that Fujitsu sells to retailers, but with a free tracer utility that many POS packages include.

The utility’s purpose is for internal testing of the credit card transaction process and to help with identifying problems during installation and maintenance. It is intended “to be used in trials to fix any bugs that can possibly come up,” Soladay said.

Soladay said Fujitsu instructs retail customers to be very conservative in how they use the utility. “When they do use these, they don’t use them for very long,” he said, adding that he tells retailers that it is especially critical that they “don’t use it in a live environment for very long.”

The concern is that such a utility could capture confidential credit card information, in violation of Visa retail security procedures, Visa said.

Visa issued a statement March 17 explaining its confidential advisory and summarizing its concerns.

“In instances where any point-of-sale software or modification of it has a potential to put cardholder data at risk, Visa issues alerts to its member financial institutions so that they can take action to prevent the storage of such data,” the Visa statement said. “In this instance, we provided a confidential alert to a limited number of financial institutions advising them that a particular configuration of certain software could cause it to store cardholder data. We further advised them of the existence of a software upgrade designed to address the problem.”

What is less clear is how the situation came to Visa’s attention, as both Visa and Fujitsu say that they are not aware of any security breach or data theft associated with this incident. One Visa official said it might have become known when a retailer using the utility engaged in a required security audit and that audit noted the potential problem.

A story about the incident in the March 17 edition of The Wall Street Journal said the Visa memo identified the Fujitsu software in question as RAFT and GlobalStore.

Soladay said the memo was so specific as to the version of the software used that it had identified the retailer involved because only one customer was using that software, he said.

“They listed a particular software version that is only installed” at one unidentified chain, Soladay said. “I think they picked on one client that is using our tracing utility in a live environment.”

Soladay put much of the blame on the retail chain, saying that it’s not Fujitsu’s fault “if someone chooses to download a utility” or “make use of any utility that we provide.”

Soladay added that Fujitsu sometimes will provide a copy of the TraceMon utility to customers who ask for such a utility. That apparently happened with this retailer, according to Soladay and someone working with Visa who asked that his name not be used.

The utility’s use in a live environment could “store inappropriate data,” said the Visa official. “That’s the thing that the hackers are looking for.”

“Every retailer uses logging in a different manner” and it can allow for “the retention of the full track data,” which would include information that Visa prohibits being stored, Soladay said.

Visa said that a Fujitsu upgrade addressed the situation but that the customer?at the time?had not deployed the upgrade.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.