Monday, October 01, 2007

PoS Logs out of PCI Scope? You've Got to Be Kidding!

Well, turns out they were dead serious :-) As I expressed my puzzlement to our resident PCI auditor, he explained that PoS logs and overall security of PoS devices are often "in-scope for PCI, but out of scope for a typical PCI audit."  How bizarre is that?  But let's start from the beginning.

First, WTF is a PoS? PoS, or Point-of-Sale terminal, is a machine that stores (and whoever else who takes credit cards) use to process credit card transactions (scan cards, communicate with verification server, print receipts, etc). It might be standalone or combined with a cash register. It might very very simple (just card reader + transaction unit in a single hardware unit) or as complex as a Windows PC with a cash drawer and no software updates (yuck!)

So, in the latter case, there are certainly logs involved. In fact, there are also PoS-specific application logs, such as this example below, coming from an IBM SurePoS device:


01/11 09:11 CC     5 W518 PROGRAM ADDDDDXUXDL HAS ENDED                           
                   B3/S111/E007 REASON=2 TYPE=3 RC=00000000            
SOURCE: OCF                                                                     
REASON: Application ended            PROGRAM TYPE: Background               
RC: No error      

PoS devices might be configured to store credit card numbers locally (for backup) and also to offload them to a "branch server" (a store server or both a store server and a regional server). Are there logs of who accessed them on the local PoS system? Maybe. Are they looked at? Probably not.  Maybe the logging is done better on the branch or store central server, but even this is not a certaintly

Overall, I am willing to bet a bottle of decent champagne that very few people, if anybody, in the whole world is regularly looking at PoS logs. At some happy point in the future, I predict they will start since the Beast of PCI will make them :-) When this happens, we will talk about PoS log analysis.

As of today, you would do comparatively well if you will collect and save them and thus will have a chance to review them for incident response for your next data theft case (or show them to an unusually nosey PCI auditor...)

More fun PoS security reading is here [PDF].

This post is obviously dedicated to the just-passed PCI DSS deadline ...

Technorati tags: ,

Dr Anton Chuvakin