POS System Audit Checklist with Vulnerability Priority Assessment (CVSS v3.1)

[Professor]

Below is an updated version of the POS system audit checklist with the addition of a vulnerability priority assessment according to the CVSS (Common Vulnerability Scoring System) v3.1 scale.

Each critical vulnerability is provided with:

• CVSS score (0.0–10.0),
• Risk level (Low / Medium / High / Critical),
• Brief rationale for the vector-based assessment (AV, AC, PR, UI, S, C, I, A).

CVSS v3.1 is a standard vulnerability severity rating system used in NVD, CVE, and cybersecurity reports.

POS System Audit Checklist with Vulnerability Priority Assessment (CVSS v3.1)​

1. Physical security of terminals​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
1.1	Are there any signs of physical interference (chips, play)?		7.5 (AV:L, AC:H, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	Direct access to the device may result in removal of keys or installation of a skimmer.
1.2	Are anti-tamper sensors installed?		—	—	Absence - increases risk (CVSS ~6.5) if physical access is present.
1.3	Are skimmers inspected regularly?		8.1 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	Lack of control allows the skimmer to remain present for long periods of time.
1.4	Is access for engineers limited?		6.3 (AV:A, AC:L, PR:L, UI:N, S:U, C:H, I:L, A:L)	Average	Uncontrolled access by third parties is a vector for infection.

2. Network security​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
2.1	POS in the same VLAN with the office network?		8.6 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	Allows the attack to move from a compromised PC to the POS.
2.2	Open ports: 21 (FTP), 23 (Telnet), 3389 (RDP)?		9.8 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	Open services without encryption are a direct path to compromise.
2.3	Is TLS 1.0/1.1 used?		7.4 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:N, A:N)	High	Legacy encryption is vulnerable to MITM (POODLE, BEAST).
2.4	No certificate pinning?		8.1 (AV:N, AC:H, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	Allows MITM attacks on traffic to processing.
2.5	Are you using Wi-Fi without encryption or WPA2-Personal?		8.8 (AV:A, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	Easy access to traffic within range.

3. Software and firmware​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
3.1	Does your device use EOL firmware (e.g. Windows XP Embedded)?		9.8 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	No updates, known exploits (eg EternalBlue).
3.2	Malware detected (eg BlackPOS)?		10.0 (AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H)	Critical	Direct access to PAN in memory.
3.3	Hardcode keys in firmware or software?		9.1 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:N)	Critical	An attacker can extract keys and forge transactions.
3.4	No firmware digital signature verification?		8.1 (AV:L, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	It is possible to install modified firmware.

4. Processing and storing card data​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
4.1	Is the full PAN stored in the database or logs?		10.0 (AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H)	Critical	Direct violation of PCI DSS, massive data leak.
4.2	Is magnetic stripe data (track data) stored?		10.0 (AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H)	Critical	Prohibited by PCI DSS, allows card cloning.
4.3	Нет P2PE (Point-to-Point Encryption)?		9.0 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	Data is transmitted in clear text between the PC and the terminal.
4.4	Is weak encryption used (DES instead of AES)?		7.4 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:N, A:N)	High	Possibility of data decryption.

5. Authentication and access control​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
5.1	Are the default passwords used (admin/1234)?		8.8 (AV:A, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	Easy brute force, full control over the terminal.
5.2	No MFA for administrative access?		7.1 (AV:N, AC:L, PR:L, UI:N, S:U, C:H, I:H, A:H)	High	Makes it easier to compromise an account.
5.3	No logging of administrator actions?		5.3 (AV:N, AC:L, PR:N, UI:N, S:U, C:L, I:L, A:L)	Average	Makes it difficult to investigate incidents.

6. Architecture and system type​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
6.1	Hybrid system (PC + terminal) without P2PE?		9.0 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Critical	Card data is available on PC before encryption.
6.2	mPOS on an unprotected smartphone (no MDM, encryption)?		8.1 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	The device may be stolen or infected.

7. Processes and Policies​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
7.1	No information security policy?		6.5 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	Average	The lack of procedures increases the risk of human error.
7.2	Are your staff not trained in basic safety?		6.8 (AV, AC:L, PR:N, UI:R, S:U, C:H, I:M, A:L)	Average	Risk of phishing, malware installation, data leakage.
7.3	No pentests for over a year?		7.5 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	Unknown vulnerabilities can be exploited for a long time.

8. Compliance with standards​

№	CHECK	NOT REALLY	CVSS	RISK LEVEL	COMMENTS / RATIONALE
8.1	No SAQ or ROC for PCI DSS?		7.0 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	Risk of fines, loss of trust, suspension of acquiring.
8.2	The terminal is not PCI PTS certified?		8.0 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H)	High	The device may not meet basic safety requirements.

CVSS Interpretation Table​

EVALUATION	RISK LEVEL	ACTION
0.0 – 3.9	Short	Eliminate in a planned manner
4.0 – 6.9	Average	Fix within 90 days
7.0 – 8.9	High	Fix within 30 days
9.0 – 10.0	Critical	Eliminate immediately (within 7 days)

Prioritization Guidelines​

1. Fix vulnerabilities with CVSS ≥ 9.0 first:
   • Open ports (RDP, Telnet).
   • Storing track data.
   • Lack of P2PE in hybrid systems.
2. Then - CVSS 7.0–8.9:
   • Outdated encryption.
   • Standard passwords.
   • No network segmentation.
3. As planned - CVSS < 7.0:
   • No MFA.
   • No staff training.

Appendix: Report Template​

You can use this checklist as a basis for creating a report, including:

• Summary table by risk levels.
• Recommendations for troubleshooting.
• Correction deadlines.
• Responsible persons.