Audit Checklist for POS

1. Maintain an up-to-date list of devices. The list should include the following:
Make, model of device
o Location of device (for example, the address of the site or facilit where the
device is located!
"evice serial num#er or other method of uni$ue identification.
%. &eriodicall inspect device surfaces to detect tampering (for example, addition of card
skimmers to devices!, or su#stitution (for example, # checking the serial num#er or
other device characteristics to verif it has not #een swapped with a fraudulent device!.
Note: 'xamples of signs that a device might have #een tampered with or su#stituted include
unexpected attachments or ca#les plugged into the device, missing or changed securit la#els,
#roken or differentl colored casing, or changes to the serial num#er or other external markings.
(. &rovide training for personnel to #e aware of attempted tampering or replacement of
devices. Training should include the following:
)erif the identit of an third-part persons claiming to #e repair or maintenance
personnel, prior to granting them access to modif or trou#leshoot devices.
"o not install, replace, or return devices without verification.
*e aware of suspicious #ehavior around devices (for example, attempts # unknown
persons to unplug or open devices!.
+eport suspicious #ehavior and indications of device tampering or su#stitution to
appropriate personnel (for example, to a manager or securit officer!.
4.Is the credit card information lost when power is removed?
,f the answer is -no. then the information is stored in a relativel permanent location. The
information could #e accessed # a potential attacker, or remain in memor when the &/0
terminal is resold.
.!ow man" transactions can #e retained in the device$s permanent stora%e?
This allows an estimate for the impact of a compromise. ,f onl one credit card is held at a time,
then this is a low risk. ,f hundreds can #e retained, then this #ecomes a high risk.
&.!ow often is the information pur%ed from the POS terminal?
1re$uent purges (hourl or ever few hours! lowers the risk profile. There is a high risk of a
compromise if an part of the &/0 terminal holds information indefinitel. 1or example, if the
card reader holds information after the cash
register is cleared, then the card reader poses a threat to consumer credit information.
'.(hat is needed to pur%e information from the POS terminal?
,t can #e a high risk if a human must remem#er to enter a code to clear the information.
2utomated clearing, such as on a timed schedule or when the register is closed out, is much more
secure. ,nformation should not #e stored if there is no method to purge the data.
).Is the permanent stora%e medium remova#le? (hat effort is needed?
2 locked metal case that is anchored to a counter is a stronger deterrent than a 3ompact 1lash
card that can #e removed with a thum#nail or screwdriver.
*.Is the permanent stora%e encr"pted?
Man laptop vendors uni$uel lock the hard drive to the mother#oard. This prevents data on a
stolen hard drive from #eing access # an other sstem. 0imilarl, encrpted file sstems
cannot #e accessed without a uni$ue ke. ,f the &/0 terminal4s permanent storage is not
encrpted, then an attacker can easil access it. The &3, &'" also attempts to address this issue:
if the crptographic ke is not stored on the &/0 device, then the impact from a storage
compromise is reduced.
+,.(hen deletin% information from permanent stora%e- is a secure erase used?
0impl deleting (or unlinking! a file can leave recovera#le information. 2t minimum,
overwriting the file with 5eros will clear the disk space. More secure deletion options include
overwriting with a set of random data.
++..oes the s"stem re/uire chan%in% the default authori0ation code?
0ecure sstems re$uire setting or changing the default password during the initial configuration.
1or example, current Linux and *0" sstems cannot #e installed without setting an initial
password. ('ven if the password is set to a #lank password, it is still a re$uired setting.!
0imilarl, &/0 terminals should not allow use with default passcodes. The &3, "00 does state
that the default settings should #e changed, #ut &/0 terminal software does not enforce the
re$uirement.
+1.Is there a #ackdoor code for #"passin% or resettin% authentication?
,f a #ackdoor exists, then it can #e use # an administrator or an attacker.
+2..oes resettin% the authentication also clear stored records?
,f a reset allows access to stored records and an attacker can perform an authentication reset,
then an attacker can access stored records. ,deall, resetting the authentication should also reset
all stored information. This prevents an attacker from gaining unauthori5ed access.
+4.Is an administrative code needed to reprint receipts or view transactions?
,f no code is needed, then anone with access to the &/0 terminal can view transaction
information.
+.Are all actions lo%%ed and associated with a specific operator account?
3reating, modifing, or viewing transaction information should #e logged. The logs should
indicate the uni$ue operator performing the action.