Professor
Professional
- Messages
- 689
- Reaction score
- 737
- Points
- 93
Below is an updated version of the POS system audit checklist with the addition of a vulnerability priority assessment according to the CVSS (Common Vulnerability Scoring System) v3.1 scale.
Each critical vulnerability is provided with:
Each critical vulnerability is provided with:
- CVSS score (0.0–10.0),
- Risk level (Low / Medium / High / Critical),
- Brief rationale for the vector-based assessment (AV, AC, PR, UI, S, C, I, A).
POS System Audit Checklist with Vulnerability Priority Assessment (CVSS v3.1)
1. Physical security of terminals
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 1.1 | Are there any signs of physical interference (chips, play)? | 7.5 (AV:L, AC:H, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | Direct access to the device may result in removal of keys or installation of a skimmer. | |
| 1.2 | Are anti-tamper sensors installed? | — | — | Absence - increases risk (CVSS ~6.5) if physical access is present. | |
| 1.3 | Are skimmers inspected regularly? | 8.1 (AV , AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | Lack of control allows the skimmer to remain present for long periods of time. | |
| 1.4 | Is access for engineers limited? | 6.3 (AV:A, AC:L, PR:L, UI:N, S:U, C:H, I:L, A:L) | Average | Uncontrolled access by third parties is a vector for infection. |
2. Network security
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 2.1 | POS in the same VLAN with the office network? | 8.6 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | Allows the attack to move from a compromised PC to the POS. | |
| 2.2 | Open ports: 21 (FTP), 23 (Telnet), 3389 (RDP)? | 9.8 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | Open services without encryption are a direct path to compromise. | |
| 2.3 | Is TLS 1.0/1.1 used? | 7.4 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:N, A:N) | High | Legacy encryption is vulnerable to MITM (POODLE, BEAST). | |
| 2.4 | No certificate pinning? | 8.1 (AV:N, AC:H, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | Allows MITM attacks on traffic to processing. | |
| 2.5 | Are you using Wi-Fi without encryption or WPA2-Personal? | 8.8 (AV:A, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | Easy access to traffic within range. |
3. Software and firmware
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 3.1 | Does your device use EOL firmware (e.g. Windows XP Embedded)? | 9.8 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | No updates, known exploits (eg EternalBlue). | |
| 3.2 | Malware detected (eg BlackPOS)? | 10.0 (AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H) | Critical | Direct access to PAN in memory. | |
| 3.3 | Hardcode keys in firmware or software? | 9.1 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:N) | Critical | An attacker can extract keys and forge transactions. | |
| 3.4 | No firmware digital signature verification? | 8.1 (AV:L, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | It is possible to install modified firmware. |
4. Processing and storing card data
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 4.1 | Is the full PAN stored in the database or logs? | 10.0 (AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H) | Critical | Direct violation of PCI DSS, massive data leak. | |
| 4.2 | Is magnetic stripe data (track data) stored? | 10.0 (AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H) | Critical | Prohibited by PCI DSS, allows card cloning. | |
| 4.3 | Нет P2PE (Point-to-Point Encryption)? | 9.0 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | Data is transmitted in clear text between the PC and the terminal. | |
| 4.4 | Is weak encryption used (DES instead of AES)? | 7.4 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:N, A:N) | High | Possibility of data decryption. |
5. Authentication and access control
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 5.1 | Are the default passwords used (admin/1234)? | 8.8 (AV:A, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | Easy brute force, full control over the terminal. | |
| 5.2 | No MFA for administrative access? | 7.1 (AV:N, AC:L, PR:L, UI:N, S:U, C:H, I:H, A:H) | High | Makes it easier to compromise an account. | |
| 5.3 | No logging of administrator actions? | 5.3 (AV:N, AC:L, PR:N, UI:N, S:U, C:L, I:L, A:L) | Average | Makes it difficult to investigate incidents. |
6. Architecture and system type
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 6.1 | Hybrid system (PC + terminal) without P2PE? | 9.0 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Critical | Card data is available on PC before encryption. | |
| 6.2 | mPOS on an unprotected smartphone (no MDM, encryption)? | 8.1 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | The device may be stolen or infected. |
7. Processes and Policies
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 7.1 | No information security policy? | 6.5 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | Average | The lack of procedures increases the risk of human error. | |
| 7.2 | Are your staff not trained in basic safety? | 6.8 (AV, AC:L, PR:N, UI:R, S:U, C:H, I:M, A:L) | Average | Risk of phishing, malware installation, data leakage. | |
| 7.3 | No pentests for over a year? | 7.5 (AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | Unknown vulnerabilities can be exploited for a long time. |
8. Compliance with standards
| № | CHECK | NOT REALLY | CVSS | RISK LEVEL | COMMENTS / RATIONALE |
|---|---|---|---|---|---|
| 8.1 | No SAQ or ROC for PCI DSS? | 7.0 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | Risk of fines, loss of trust, suspension of acquiring. | |
| 8.2 | The terminal is not PCI PTS certified? | 8.0 (AV, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H) | High | The device may not meet basic safety requirements. |
CVSS Interpretation Table
| EVALUATION | RISK LEVEL | ACTION |
|---|---|---|
| 0.0 – 3.9 | Short | Eliminate in a planned manner |
| 4.0 – 6.9 | Average | Fix within 90 days |
| 7.0 – 8.9 | High | Fix within 30 days |
| 9.0 – 10.0 | Critical | Eliminate immediately (within 7 days) |
Prioritization Guidelines
- Fix vulnerabilities with CVSS ≥ 9.0 first:
- Open ports (RDP, Telnet).
- Storing track data.
- Lack of P2PE in hybrid systems.
- Then - CVSS 7.0–8.9:
- Outdated encryption.
- Standard passwords.
- No network segmentation.
- As planned - CVSS < 7.0:
- No MFA.
- No staff training.
Appendix: Report Template
You can use this checklist as a basis for creating a report, including:- Summary table by risk levels.
- Recommendations for troubleshooting.
- Correction deadlines.
- Responsible persons.
