4. Security Risk
Data in Memory
Security concerns remain the same as those for device interfaces there are no standard security
mechanisms. Specific issues depend on the type of connectivity. If POS and PA run under the same
OS process, the memory of the process can be scanned using RAM scraping in order to retrieve
sensitive data.
6. Security Risk
Data at Rest
“data at rest,” a term used to describe any form of hard-drive storage such as database, fl at-data
file, or log file.
7. Security Risk
Data in Transit
There are different ways to “tap into the wire.” One of various sniffing attack scenarios would be a
hidden network tap device plugged into the store network. The tap device will catch the payment
application traffic and mirror it to the remote control center.
9. Security Risk
Application Code and Configuration
Another key vulnerability area is payment Application Code itself and its Configuration (config). The
code or config don’t contain any cardholder information by themselves, but can be tampered by
attacker or malicious software in order to gain unauthorized access to the data in other key
vulnerability areas.
10. Exposure Area
Retail Store – POS Machine
POI Device
Payment
Application
Storage
Memory
POS App
Payment Processor Data Center
Payment
Processing Host
1
2
3
3
4
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
11. Pros and Cons
Some of the security pros and cons of this model are:
Pro
There’s no central location in the store that accumulates all the Sensitive data in memory, disk
storage, or network traffic. It is easier (and less expensive!) to protect a single machine and
application instance; however, once it is broken, all the store data is gone.
The communication between POS and PA doesn’t carry sensitive data because PA handles all
the aspects of any payment transaction and only returns the masked results to the POS at the
end without exposing the details of the magnetic stripe.
Con
All POS machines (memory, data storage) at the store are exposed to sensitive data as well as
communication between the POS machine and the payment host.
12. The concept of EPS
EPS stands for Electronic Payment System
The main purpose of EPS is isolating the electronic payment processing application from the rest of
the point-of-sale functions.
A logical (and often physical) separation of the POS and payment system allows “removing POS from
the scope” (security auditors terminology meaning that security standard requirements like PCI are
not applicable to a particular application or machine).
Placing the POS application or machine “out of scope” saves a lot of Development and
implementation work for both software manufacturers and consumers
13. Store EPS Deployment Model
Retail Store
POI Device
Payment
Application
Storage
Memory
POS Payment
Processing Host
POS Machine Store Server
Payment
Processor
Data Center
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
1
2
4
3
3
14. Pros and Cons
Some of the security pros and cons of this model are:
Pro
The POS machine isn’t exposed to sensitive data because it doesn’t communicate with POI
devices.
Communication between the POS and the store server machines doesn’t contain sensitive
data, so there’s no need to encrypt this traffic
Con
Communication between POI devices and the store server is implemented through the store
LAN (usually TCP/IP packets), exposing sensitive cardholder information to the network.
15. Hybrid POS/Store Deployment Model
Retail Store
Payment
Server App
Storage
Memory
POS
Payment
Processor
Data Center
Payment
Processing Host
POS App Store Server
Payment
Client App
POI Device
Memory
Storage
2
1
3
4
Data in memory
Data at rest
Data in Transit
App Code and Configuration
11
22
44
3
3
3
16. Pros and Cons
Some of the security pros and cons of this model are:
Pro
There are no security pros associated with this model.
Con
Both the POS and the store server machines and almost all their Components (memory, data
storage, application code, and communication lines) are entirely vulnerable.
17. Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
EPS
18. Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
Physical & Host Assessment
EPS
19. Case Study: Pentesting POS
Physical & Host Assessment
USB Drives, Keyboard and Mouse
Hot-Key Shortcuts
Randomly presses on touchscreen
BIOS Configuration
Reverse Engineering on Application [.Net]
Directory Traversal on Application
20. Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
Network Segregation
&
Infrastructure Assessment
EPS
21. Case Study: Pentesting POS
Network Segregation & Infrastructure Assessment
Excessive Port on Device and Server
Network Segmentation
Password Reuse Rampant
Pass-The-Hash
Dump clear text passwords stored by
Windows authentication packages
Really !?
22. Case Study: Pentesting POS
Retail Store
Payment
Processing Host
Counter/ POS Area Back-Office Area
Payment
Processor
Data Center
Storing Room
Traffic Monitoring
EPS
23. Case Study: Pentesting POS
Traffic Monitoring
Identify PAN over the network.
Sensitive information between SIT and EPS.
24. Protection
Data in Memory
Minimizing Data Exposure from the Application (.NET SecureString, Memory Buffer]
Point-to-Point Encryption (P2PE), encrypt the data before it even reaches the memory of the
hosting machine, and decrypt it only after it has left the POS (in the Payment Gateway)
Data in Transit
Implementing Secure Socket Layer (SSL]
Encrypted Tunnels, IPSec
Data at Rest
Avoiding the storage of sensitive data at all.
Point-to-Point Encryption [P2PE]
Symmetric Key Encryption