2280385549_a7b460ca14_o

PCI Council Warns About “GHOST” Vulnerability

February 4, 2024         By: Melanie Macinas

The PCI Security Standards Council has released several recommendations on how to identify and mitigate a critical software vulnerability that could affect the security of sensitive payment card information.

The US Department of Homeland Security recently warned organizations about “GHOST,”—a critical software vulnerability that poses a serious threat to computer systems.

“GHOST” specifically affects Linux GNU C Library (glibc) versions prior to 2.18.

Hackers can take advantage of this vulnerability through a remote code execution, which can enable them to take control over the impacted system and delete files, install malware and perform other activities that can be done with stolen credentials.

The PCI SSC is urging merchants to work with their IT departments and/or partners to identify all servers, systems, and appliances that use vulnerable glibc versions.

Those running vulnerable Linux versions are advised to obtain the appropriate patch from their vendors and implement it immediately.

Going forward, organizations should ensure proper implementation of security risk mitigating controls outlined in PCI Data Security Standard (PCI DSS) 3.0, the council said.

These include review of public-facing web applications via manual or automated application vulnerability security assessment tools or methods; patching of vulnerable systems; monitoring of systems for malicious and abnormal activity and updating signatures for intrusion detection and prevention systems (IDS/IPS); and review of third-party service provider relationships.

A multi-layered approach to payment card security that tackles social, technology, and process vulnerabilities, is crucial in identifying and protecting against potential attacks and vulnerabilities such as “GHOST, the PCI Council stressed.