O'Reilly logo

Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions by Slava Gomzin

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 8

Protecting Cardholder Data

It is easier to produce ten volumes of philosophical writing than to put one principle into practice.

—Leo Tolstoy

PCI standards require only disk storage encryption, and in some cases communication encryption. Since the core technology around payment card processing has fundamental security flaws, the payment application should encrypt the sensitive cardholder data wherever possible: in memory, at rest, and in transit. In addition, it's a good idea to implement the defense in depth principle — put in extra layers of protection wherever possible. For example, when sending data via a network, a payment application can encrypt the sensitive data elements using symmetric algorithms, and also encrypt the entire communication session by a transport security mechanism such as SSL, HTTPS, or IPSec. In theory, physical and logical security controls can form another layer of protection. However, they are not effective in the hazardous working environment of POS which is directly exposed to the public.

Data in Memory

The answer to questions about memory protection is simple: the sensitive cardholder data can't be completely safe if it is not encrypted before it is placed in memory. There are no existing reliable security mechanisms that would prevent memory scraping. If an attacker gains access to the POS hosting computer, the chances that the data will be leaked are very high because most of the operations (including encryption, decryption, and cryptographic ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required