Audit Checklist for POS
1. Maintain Maintain an up-to-date up-to-date list list of devices devices.. The list list should should include include the following: following: Make, model of device • o Location of device (for example, the address of the site or facilit where the device is located! "evice serial num#er or other method of uni$ue identification. •
%. &eriodicall &eriodicall inspect device device surfaces surfaces to detect detect tampering tampering (for example, example, addition addition of card card skimmers to devices!, or su#stitution (for example, # checking the serial num#er or other device characteristics to verif it has not #een swapped with a fraudulent device!. Note: 'xamples of signs that a device might have #een tampered with or su#stituted include unexpected attachments or ca#les plugged into the device, missing or changed securit la#els, #roken or differentl colored casing, or changes to the serial num#er or other external markings.
. &rovide &rovide training training for personne personnell to #e aware aware of attempted attempted tamperin tampering g or replacement replacement of devices. Training should include the following: )erif the identit of an third-part persons claiming to #e repair or maintenance • personnel, prior to granting them access to modif or trou#leshoot devices. "o not install, replace, or return devices without verification. • *e aware of suspicious #ehavior around devices (for example, attempts # unknown • persons to unplug or open devices!. +eport suspicious #ehavior and indications of device tampering or su#stitution to • appropriate personnel (for example, to a manager or securit officer!.
4.Is the credit card information lost when power is removed? f the answer is no then the information is stored in a relativel permanent location. The information could #e accessed # a potential attacker, or remain in memor when the &/0 terminal is resold. .!ow man" transactions can #e retained in the device$s permanent stora%e? This allows an estimate for the impact of a co mpromise. f onl one credit card is held at a time, then this is a low risk. f hundreds can #e retained, then this #ecomes a high risk. &.!ow often is the information pur%ed from the POS terminal? re$uent purges (hourl or ever few hours! lowers the risk profile. There is a high risk of a compromise if an part of the &/0 terminal holds information indefinitel. or example, if the card reader holds information after the cash register is cleared, then the card reader poses a threat to consumer credit information.
'.(hat is needed to pur%e information from the POS terminal? t can #e a high risk if a human must remem#er to enter a code to clear the information. 2utomated clearing, such as on a timed schedule or when the register is closed out, is much more secure. nformation should not #e stored if there is no method to purge the data. ).Is the permanent stora%e medium remova#le? (hat effort is needed? 2 locked metal case that is anchored to a counter is a stronger deterrent than a 3ompact lash card that can #e removed with a thum#nail or screwdriver. *.Is the permanent stora%e encr"pted? Man laptop vendors uni$uel lock the hard drive to the mother#oard. This prevents data on a stolen hard drive from #eing access # an other sstem. 0imilarl, encrpted file sstems cannot #e accessed without a uni$ue ke. f the &/0 terminal4s permanent storage is not encrpted, then an attacker can easil access it. The &3 &'" also attempts to address this issue: if the crptographic ke is not stored on the &/0 device, then the impact from a storage compromise is reduced. +,.(hen deletin% information from permanent stora%e- is a secure erase used? 0impl deleting (or unlinking! a file can leave recovera#le information. 2t minimum, overwriting the file with 5eros will clear the disk space. More secure deletion options include overwriting with a set of random data. ++.oes the s"stem re/uire chan%in% the default authori0ation code? 0ecure sstems re$uire setting or changing the default password during the initial configuration. or example, current Linux and *0" sstems cannot #e installed without setting an initial password. ('ven if the password is set to a #lank password, it is still a re$uired setting.! 0imilarl, &/0 terminals should not allow use with default passcodes. The & 3 "00 does state that the default settings should #e changed, #ut &/0 terminal software does not enforce the re$uirement. +1.Is there a #ackdoor code for #"passin% or resettin% authentication? f a #ackdoor exists, then it can #e use # an administrator or an attacker. +2.oes resettin% the authentication also clear stored records? f a reset allows access to stored records and an attacker can perform an authentication reset, then an attacker can access stored records. deall, resetting the authentication should also reset all stored information. This prevents an attacker from gaining unauthori5ed access. +4.Is an administrative code needed to reprint receipts or view transactions? f no code is needed, then anone with access to the &/0 terminal can view transaction information. +.Are all actions lo%%ed and associated with a specific operator account? 3reating, modifing, or viewing transaction information should #e logged. The logs should indicate the uni$ue operator performing the action.
