POSDATA logo
 

Home  

 

Products

Solutions

Services

News

Contact

About Us

 

Electronic payment products from POSDATA

This information provided by VeriFone

PIN Pad Security Best Practices

The payment industry and card associations adopted PED and PCI PED requirements because of concerns that sophisticated criminal organizations may have the resources to tamper with PED terminals to install a bug and collect private card data. In Pre-PED devices, security features were left to each vendor to determine. The more recently adopted Visa PED and PCI PED requirements provide standardized security features that make tampering progressively more difficult.

We are seeing an increase in criminal organizations targeting the less secure pre-PED terminals by installing bugs to collect private credit card and debit information. In these cases, the criminal organizations are either inserting a bug into an in-place device or obtaining the same terminal model that a retailer uses, installing a bug, and then substituting the tampered device for the retailer's terminals. They then either come back to retrieve these terminals to obtain the stolen information, or in some cases, the tampered terminals send the information to another computer via wireless communications.

Due to repeated targeting of pre-PED PIN Pads and Payment Terminals, VeriFone has developed the following PIN Pad Security Best Practices. These best practices first enable a retailer to determine if any existing terminals have been tampered with, and second make tampering much more difficult by implementing a comprehensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred.

If a retailer does not enact a complete PIN Pad Security program, including PIN Pad Security Best Practices, then they will remain vulnerable to this kind of tampering.

VeriFone recommends all retailers implement the following PIN PAD Security Best Practices immediately.

  1. Immediately have a visual inspection performed on every device to look for potential signs of tampering. These include anything that does not look normal such as lack of tamper seals, damaged or altered tamper seals, mismatched keys, missing screws, incorrect keyboard overlays, external wires, holes in the terminal or anything else unusual. If anything out of the ordinary is noticed, stop using the device, disconnect it from the pos terminal or network, but do not power it down. Contact the security officer at the terminal manufacturer to determine the next steps. Continue to perform visual inspections weekly.

  2. If your terminal contains an electronic serial number, have the electronic serial number compared to the serial number printed on the bottom of the terminal. If these do not match stop using the device, disconnect it from the pos terminal or network, but do not power it down. Contact the security officer at the terminal manufacturer to determine the next steps.

  3. Develop a process to monitor devices that consistently do not work properly, such as high mag-stripe read failures or debit card declines. These can be indicators of tampered terminals. Contact the security officer at the terminal manufacturer to determine the next steps.

  4. Store spare devices under lock and key to prevent unauthorized removal. Incorporate a shift change procedure to validate the inventory of devices at every shift to ensure none have disappeared.

  5. Institute a procedure to track each instance in which a terminal is replaced within the store, whether from the in-store inventory, by a repair technician, or with units shipped into the store.

  6. Implement a procedure to require all repair technicians who visit your stores to sign in, verify their identity with photo identification, and remain accompanied by store personnel during any work on PIN pads.

  7. Review the installation of your PIN pads. They should be mounted on the counter; unplugging cables should require more than turning the unit over; and you may want to consider installing locking stands to prevent unauthorized removal. If you are interested, VeriFone has developed locking stands for the Everest, Omni 7X00 and MX800 Series products. Contact your VeriFone Account Executive for more details.

  8. If the PIN Pad supports electronic serial numbers, implement a scheme to validate the PIN pad serial number every time the POS. starts up to insure the device has not been replaced, and if it has, automatically send an alert. If the device supports Ethernet connectivity, consider implementing a device management solution to track all in service devices.

  9. Make sure the password for device access is not the original default password. If it is, have it changed, as default passwords become widely known. Contact your account executive if you need help changing this password.

  10. Only obtain PIN pads from a manufacturer or manufacturer’s authorized partner. Unauthorized resellers, such as may be found online at sites such as eBay, may potentially sell devices that are already compromised, whether intentionally or unwittingly.

  11. For similar reasons, have your PIN pads repaired at the manufacturer or an authorized manufacturer’s repair center that has completed a TG3 Key Injection audit.

  12. Develop a response plan before you suspect you have had a terminal breach. Identify the steps you need to tale if you suspect a breach. Understand what to do to isolate your payment systems, and prevent future sensitive information loss. Have a list of who needs to be called including your local law enforcement, your acquiring bank, your processor, your security assessor if you use them and your payment system vendors. Make sure you have clear assignments for who needs to do what after a suspected attack and how you will respond. Designate one individual to lead this effort.

Taken together, these PIN Pad Security Best Practices should significantly reduce the risk of PIN Pad tampering and compromise. These practices are recommended to be followed even with the deployment of PCI approved PIN pads.

Additional information can be found on VeriFone's Retail Payment Security web site at www.secureretailpayments.com. To be added to VeriFone's payment security email list, please send an email to securepayments@verifone.com.

Visit our security regulations information center for current news about electronic payment security news.

© Copyright 2007 POSDATA. All rights reserved.
All company names are trademarks or registered trademarks of their respective companies.