In case the point-of-sale card reader stops working, a backup card entry method is required by the card-processing vendor. The processor's suggested method is that the application hosts a WebBrowser control to the vendor's own site in which the credit card info is entered at checkout, and to watch for the URL to change to know when the transaction is complete and receive the verification token.
This struck me as a potential PCI minefield:
To be sure, a standalone web browser could have some of these same issues but at least it wouldn't be the responsibility of the application codebase. I wouldn't want a PCI audit to have problems with something unrelated in the codebase just because it shares a codebase with payment entry.
Am I overthinking this since it's only a backup method to be used if the card reader is down? What is the standard way of handling this?
If you were being audited, an auditor would look for the following basic things:
How frequently is the embedded browser updated by the manufacturer? How does it receive updates? Will it receive/deploy automatic updates? Or, will you have to redeploy the application whenever a critical security flaw is discovered/patched? How do you manage these updates? If the updates are automatic, how do you QA them after they're in prod? If you have to redeploy the application, how will you roll it out to users? How will you be certain that all users update from insecure versions to secure versions? How frequently are they pushed? Do you have a good set of processes to manage between updating so frequently that your users never have a clue what they're going to open up and updating so rarely that you are running extremely vulnerable software?
In practice (particularly if you're subject to a post-breach audit), is the embedded browser fully updated to protect against patched security threats?
Does the embedded browser protect against browser based threats like drive by downloads? Will your anti-virus solution still work with an embedded browser? Are you sure? How have you tested that?
If you were, say, running a virtual terminal inside of a browser, you'd want to be able to answer those same questions, only about the regular browser. So, using an embedded browser doesn't change the letter of PCI-DSS. However, the security processes around the embedded browser will be different.
For things like MITM attacks, I'm not entirely sure that I understand your question. An embedded browser would be as vulnerable as a regular browser to MITM, though some regular browsers have more enhanced protection against man in the middle attacks. For example, if your embedded browser was an updated version of Google Chrome, I'd feel a heck of a lot more secure than if your embedded browser was a version of IE 6 that hasn't seen an update this decade.
The important thing to remember is that if your cardholder data environment (CDE) is within a secure network that receives regular vulnerability scans (and if you have a good, written process governing how you perform vulnerability scans), you should be fine in the event of a breach. The kicker though is that you need to document both the process and how you follow the process.
Say, for example, that your process is to:
a.) Have an expert on your team do vulnerability scan every second Friday. b.) Hire an outside firm to do a full vulnerability scan once per quarter.
You'd need to have records of:
a.) Who is your expert? How was she trained? Is she qualified to do vulnerability scans? If she finds a vulnerability how is it escalated? What dates did she perform the scans? Does she have any print-outs of the results? Does she fill out a form with her findings? Do you have all of the forms? Can I see the results of the vulnerability scan she performed on December 18, 2015?
b.) When you have professional scans done, who performs them? How do you vet that the firm is qualified? How do you vet that the person who did them is qualified? What happens if they find vulnerabilities? What happens if they find vulnerabilities that your in-house expert doesn't find? Can I see their last report? Can I see the report from three quarters ago?