Acquirers are being encouraged to alert merchants to a new remote malware attack called "Ghost" that allows hackers to take over a network.
Hackers exploit a software vulnerability affecting Linux systems, enabling them to delete files, install malware and breach data, the Payment Card Industry Security Standards Council stated in a Feb. 2 bulletin.
The council said the initial warning came from the United States Department of Homeland Security through its computer emergency readiness team.
Ghost poses "a serious risk" to Linux GNU C Library version computer systems prior to 2.18, the PCI council said. Merchants and service providers should work with IT teams to identify all servers, systems and appliances that use a vulnerable version of the Linux system, and then seek the appropriate patch for the system from the supplying vendor.
In addition, merchants can address future risks by ensuring proper implementation of the security controls outlined in the PCI Data Security Standard 3.0, the council said.
Those controls require a manual or automated review of public-facing Web applications, including a system firewall, as well as patching of vulnerable systems.
A review of third-party service provider relationships, including how devices and systems are accessed, is also required. This is especially important for those providers with remote access to an organization's network, the council said.
New malware attacks are becoming increasingly common. Merchants were warned in August 2014 of Backoff malware, which hackers were deploying to infiltrate point of sale terminals.