You've been redirected from MobilePaymentsToday.com to PaymentsDive.com. In March 2021, Mobile Payments Today became a part of Payments Dive. For the latest payments news, sign up for the daily newsletter.

PCI Security Standards Council: Beware of 'Ghost'

The warning follows a US Department of Homeland Security alert about a critical software vulnerability that poses a serious risk to computer systems.

Published

Feb. 2, 2015

The United States Department of Homeland Security is warning organizations about a critical software vulnerability called "Ghost" that poses a serious risk to computer systems, according to a PCI Security Standards press release.

The United States Computer Emergency Readiness Team, a division of DHS, says that Ghost affects Linux GNU C Library versions prior to version 2.18. Hackers can exploit this vulnerability through the remote execution of code that allows them to take control of a system and potentially delete files, install malware, and carry out any other activity made possible with stolen credentials.

In the release, the PCI Security Standards Council recommended several actions aimed at identifying and mitigating the potential threat posed by Ghost to the security of sensitive payment card data:

  • work with IT departments and partners to identify servers, systems, and appliances that use vulnerable versions of glibc.
  • organizations that are running vulnerable Linux versions should:
    •  review recommendations outlined in Vulnerability Note VU#967332.

    • work closely with IT departments, providers and partners to obtain the appropriate patch (all Linux distribution vendors have patches available to address this vulnerability).
  • implement the patch as soon as possible.


To address this type of risk going forward, the release said, organizations should ensure proper implementation of security risk mitigating controls outlined in PCI Data Security Standard 3.0, specifically:

  • review public-facing web applications via manual or automated application vulnerability security assessment tools or methods, such as a web application firewall, to ensure that these applications are protected against known attacks. (PCI requirement 6.6);
  • patch vulnerable systems and conduct quarterly vulnerability scans to determine if appropriate patches are properly installed and effective. (PCI requirements 6.2,11.2);
  • monitor systems for malicious and abnormal activity and update signatures for intrusion detection and prevention systems. (PCI requirements 10, 11);
  • review third-party service provider relationships, including access to devices and systems, and specifically remote access from outside an organization's network; ensure that partners are addressing all known vulnerabilities (PCI requirements 8, 12).

The PCI SSC release said that a multilayered approach to payment card security addressing people, process and technology is critical in detecting and protecting against emerging attacks and vulnerabilities such as Ghost.

Additionally, the council recommended a daily coordinated focus on maintaining the controls outlined in the PCI Standards — making payment card security a business as usual practice — provides a strong defense against data compromise. 

The release included links to official US-CERT websites that provide further details:

Vulnerability Note VU#967332

United States Computer Emergency Readiness Team Alert