For those who are unaware, payment terminals, especially older ones, generally do not have remote update functionality anyway. Even for modern ones that do, I've heard from point of sale vendors that maybe 25% at most of their terminals in the field are reachable, often because of not enabling the feature to avoid breaking tested systems at random times, segmented networks, and firewalls, and so on.
Getting rid of older terminal software generally involves replacing the terminal, because shipping a USB securely under dual control to a pizza shop franchise owner and expecting him to update his terminal's firmware successfully generally doesn't work. The people involved aren't technical experts. Also, for those suggesting modifications to the terminal systems themselves, be aware that there are extensive audit or validation requirements for any software or configuration changes on payment terminals. A new PCI PA-DSS audit is not going to be completed in 4 days. The financial services industry is extremely complicated, and has all sorts of warts that I'm not even going to try to defend, but for those unfamiliar with it, I'd caution against proposing impractical solutions that could very well do far more harm than good. Yes, these businesses should have done a far better job avoiding this problem, but the risk related to issuing a limited number of carefully controlled certificates must be balanced against the reality of denying thousands of small, medium and large businesses the ability to accept cardholder transactions. -Tim -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+thollebeek=trustwave....@lists.mozilla.org] On Behalf Of Steve Sent: Wednesday, February 24, 2016 9:16 AM To: Rob Stradling; Peter Gutmann Cc: Gervase Markham; [email protected]; Kathleen Wilson; Richard Barnes Subject: Re: Proposed limited exception to SHA-1 issuance Their path to avoid disruption to consumers on Sunday is the 9 gateways, not the 10,000+ terminals. Pushing firmware to devices that handle money in a hurry would show very poor security and privacy posture. I don't want yesterday's build in my wallet. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
