Verifone MX900 Series Potential Security Vulnerability

by | Nov 2, 2017 | Security

Worldpay recently distributed a security advisory on the VeriFone 900 Series terminals.  Reposted here for your benefit.

Terminal Security Advisory

Verifone MX900 Series Potential Security Vulnerability – IMMEDIATE ACTION ADVISED

As your payment processor, we want to make you are aware of a potential issue that Verifone has identified; there is a vulnerability with the MX900 series terminal.

Verifone has not detected any malicious activity or a breach, and the integrity of the terminal is not otherwise compromised. However, to help avoid exposure to risk, we are proactively providing you with mitigation procedures that Verifone has provided to us.

Please follow the steps below to aid in minimizing an impact to your payments environment and business operations:

Step 1: Change the default password provided for your MX900 series PIN pad.

Note: This is a standard best practice to help ensure that your credentials and account are not compromised. This step is also a Payment Card Industry Data Security Standard (PCI DSS) requirement.

Step 2a: If you currently use Verifone HQ (also known as VHQ) to update your MX900 series PIN pad, the most current VHQ Agent must be installed before you take any further action. You can determine which Agent you currently have installed by contacting Verifone at the usual support number for your device(s).

Verifone has indicated that the following is a list of the current VHQ Agents. If you identified one of the following as your current Agent, proceed to Step 3. Otherwise, install one of the versions below and then proceed to Step 3. Please contact Verifone at the usual support number for your device(s) if you require installation guidance.

  • R9 2.9.34
  • R10 2.10.24
  • R11 2.11.37

Step 2b: If you are not currently using VHQ to update your MX900 series PIN pad, proceed to Step 3.

Step 3: Download the Security Hot Fix patch and/or run the Operating System (OS) Upgrade.

Contact your software or support provider to gain access to the security patch and/or to upgrade your OS. A matrix of instructions has been provided below.

How to identify what OS version you are running on your MX900 terminal:

Refer to Section 4 of the provided MX900 Series Reference Manual, for instructions on how to locate your OS version. Once located, follow the security measures outlined in the table below.

You can also access your system mode by following the steps below:

  1. Press 7 and ENTER
    2. Enter the unique password that you selected or the 6-digit default password originally provided to

you, if you have not changed the default.
3. Press Information and Basic Information
4. Scroll down to “Build”

Follow the security measures outlined below based on your OS Version.

OS Version Required Security Measures Recommended Action
2012.0625 Upgrade your OS to 3014.0200 and Install the 0200 Security Hot Fix patch Upgrade your OS to 3025.1000
3014.0200 Install the 0200 Security Hot Fix patch Upgrade your OS to 3025.1000
3014.5100 Upgrade your OS to 3014.5200 and install the 0200 Security Hot Fix patch Upgrade your OS to 3025.1000
3014.5200 Install the 0200 Security Hot Fix patch Upgrade your OS to 3025.1000
3041.0XXX Install the 0200 Security Hot Fix patch Upgrade your OS to 3041.1100 when available
(The upgrade schedule is not available at this time)

Step 4: Proceed with processing transactions on your terminal and ensure that you incorporate standard measures to help prevent exploitation of your payment terminals.

Below are the PCI Data Security Standards that are applicable to all merchants that accept or process payment cards. Please ensure that you follow all requirements listed below to help ensure the integrity of your MX900 terminal and your payments environment.

GOALS PCI DSS REQUIREMENTS
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors

Maintaining Payment Security, PCI Security Standards Council, website, Date Accessed: September 20, 2017