Proposal / Submission Type

Peer Reviewed Paper

Location

Mori Hosseini Student Union: Event Center

Start Date

16-5-2019 1:00 PM

Abstract

According to the Verizon 2018 Data Breach Investigations Report , 321 POS terminals (user devices) were involved in data breaches in 2017 [1]. These data breaches involved standalone POS terminals as well as associated controller systems. This paper examines a standalone Point-of-Sale (POS) system commonly used in smaller retail stores and restaurants to extract unencrypted data and identify possible violations of the Payment Card Industry Data Security Standard (PCI DSS) requirement to protect stored cardholder data. Persistent storage (flash memory chips) were removed from the devices and their contents were successfully acquired. Information about the device and the code running on it was successfully extracted, although no PCI DSS data storage violations were identified.

6-Larson-Point of Sale Device Forensics.pdf (826 kB)
PDF version of PPT

Share

COinS
 
May 16th, 1:00 PM

A Forensic First Look at a POS Device: Searching For PCI DSS Data Storage Violations

Mori Hosseini Student Union: Event Center

According to the Verizon 2018 Data Breach Investigations Report , 321 POS terminals (user devices) were involved in data breaches in 2017 [1]. These data breaches involved standalone POS terminals as well as associated controller systems. This paper examines a standalone Point-of-Sale (POS) system commonly used in smaller retail stores and restaurants to extract unencrypted data and identify possible violations of the Payment Card Industry Data Security Standard (PCI DSS) requirement to protect stored cardholder data. Persistent storage (flash memory chips) were removed from the devices and their contents were successfully acquired. Information about the device and the code running on it was successfully extracted, although no PCI DSS data storage violations were identified.