The overall security of a system is as robust as its weakest component. Card payments are considered to be secure and reliable, but the acquiring infrastructure is far from being perfect.

This research is the first attempt to look at the security of an integral part of any acquiring infrastructure, the Terminal Management System. TMS enables remote management and configuration of POS terminals. It is not a part of the payment process, but every acquiring bank has it. We will talk about how it works and describe possible misconfigurations in the acquiring system and POS terminals. We will also cover the attacks on TMS servers and POS terminals, which together can allow an adversary to process forged payments, cancel operations without authentication, compromise POS terminals and acquiring networks. With this research, we want to draw the community’s attention to the security of TMS servers and acquiring infrastructures.

We analyzed several acquiring systems and TMS servers and found critical vulnerabilities and typical misconfigurations.