Threat from Keyloggers

[mckafka99]

I am wondering if in discussions, one can overstate or understate the threat from keyloggers or the ability for keyloggerrs to get onto systems. I find frequently that some people tend to dismiss or underrate the threat that keyloggers present to a system used for card data entry. For a simple environment where workstations are used to enter data in a secure web form on a 3rd party hosted site/portal, keyloggers seem to be the primary threat and making sure that they dont get on those machines would seem the big thing to pay attention to.

[jbhall56]

Key loggers are a threat. There are some mitigating controls in the PCI DSS for addressing this threat.

For software-based keyloggers, this is why the PCI DSS mandates critical file monitoring and anti-virus. Between both of these controls it should be pretty tough to surreptitiously install a software-based keylogger.

For hardware-based keyloggers, the PCI DSS requires in-scope systems to be physically secured so the installation of a keylogger is difficult and would likely be recording on video.

That said, there is still a threat for keyloggers ending up on systems that are not in-scope that are used as a way to get to the in-scope systems. For this, the PCI DSS requirement for network monitoring and network segmentation can minimize this threat, but it only works if alerts are properly addressed and researched.

[mckafka99]

Quote:

Originally Posted by jbhall56

Key loggers are a threat. There are some mitigating controls in the PCI DSS for addressing this threat.

For hardware-based keyloggers, the PCI DSS requires in-scope systems to be physically secured so the installation of a keylogger is difficult and would likely be recording on video.

Other than putting machines used for CHD entry in a separate, secure room that is monitored, what other ways can one meet the requirement to physically secure such machines?