Security Risk Advisors

Securing the Point of Sale Device

December 23, 2013 | Posted in GRC by Carl Angeloff

It has been confirmed by Target and American Express that 40 million credit and debit cards have been compromised across the retail chain's point-of-sale (POS) environment.  The breach occurred across most or all of Target's stores in the United States. 

To make matters worse, the type of cardholder data (CHD) stored is magnetic stripe data.  Magnetic stripe data not only includes the 16 digit PAN on the front of the credit card but also the sensitive authentication data element the PIN code (related to debit cards).  The PAN in conjunction with the PIN could allow unauthorized ATM machine withdrawals. 

Although specific attack details around the compromise have not been confirmed, two of the following scenarios are common methods attackers use to obtain large amounts of CHD from POS devices:

  • Malware:  Installing malware on the workstation (e.g. the card swipe machine at each checkout line at each store) hosting the POS application
  • Skimming:  Attaching a physical device to the POS hardware which 'skims' CHD

There is a lot of controversy over the PCI Point-to-Point Encryption Hardware (P2PE-HW) standards and what constitutes acceptable point of interaction devices and approved P2PE solutions; however, you can apply the security principles of P2PE-HW to reduce the risk of a breach.  The basic concepts of P2PE-HW are: 

  • Eliminate clear-text CHD in the environment by encrypting at the point of swipe or manual entry into the hardware's PIN pad.  Decryption of CHD is not performed until the data reaches your acquiring bank or approved PCI service provider providing P2PE capabilities. 
  • Do not store the private encryption key anywhere within the organization's environment.  Merchants that must decrypt CHD must use only approved P2PE solutions, for which encryption and key management must still be handled by a PCI-approved hardware device and provider. 
  • Implement tamper resistant controls to reduce the chance of a skimming device obtaining CHD prior to being encrypted at teh hardware layer.

Let's walk through a scenario where these principles are applied and how specific attack vectors would be mitigated. 

Malware: 

Scenario

Attacker compromises organization's network and installs malware on systems throughout the network, including POS devices.  The malware is designed to automatically detect CHD transactions on the system or in memory and immediately send the data to the attacker's remote server. 

P2PE-HW Risk Mitigation

Although the attacker has the ability to log any data transmitted across the POS system, all CHD originally entered through an approved hardware device would be encrypted .  The private key to decrypt this CHD does not sit anywhere within the compromised network, thus reducing the risk the attacker would be able to decrypt the CHD. 

Skimming: 

Scenario

Attacker gains physical access to an organization's POS devices.  This is most commonly performed at gas stations where little oversight is performed around the POS device.  The attacker attaches a skimming device to the POS device, which transmits all CHD obtained during a future customer's swiping to perform a payment. 

P2PE-HW Risk Mitigation

Approved hardware devices are configured to centrally alert a third party service provider and/or organization if the device is broken, manipulated, or disconnected from its normal state.  Video cameras and physical inspections of POS locations can further reduce risk of a skimming attack. 

Concerned about one of your payment processes which might benefit from P2PE?   Contact us at info@securityriskadvisors.com