Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Point of sale (PoS), PIN Entry Devices (PED), Standalone Dial-Out terminals - and similar type of devices - are a prime target for attackers who want to gain illegal access to the cardholder data provided by paying customers, which is why it's so important to keep each and every one of them protected.
It is a major point of the PCI DSS (Payment Card Industry Data Security Standard) to protect payment card reading devices, since requirement 9.9 is not a best practice anymore, starting from the 1st of July 2015. This requirement states that in order to be PCI compliant, organisations that accept card present type of payments must "protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution."
Whether you're a small or micro business or a large company with several thousands of terminals in thousands of branches, you must protect your terminals and report about their compliance. The problem is that following requirement 9.9 and all of its sub-requirements can often be a long and strenuous task as you have to be very well organized.
PCI compliance, for organisation that accept card-present type of payments, involves inspecting point of sale terminals regularly. We may call the PoS inspection process "auditing", and it’s a task that you need to complete in order to discover if any of your devices has been tampered with.
The first task to complete before auditing PoS devices is keeping an up-to-date list of them (as described in PCI DSS requirement 9.9.1). This list should include all the information available about each terminal:
You must also "interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned, etc." and "select a sample of devices from the list and observe devices and device locations to verify that the list is accurate and up to date."
The following, tedious, step to take once a device is in your list, is the auditing process, which consists in "periodically inspect device surfaces to detect tampering". This means that you have to check each device for things such as card skimmers and other unauthorised components that may have been added to the point of sale terminal by a malicious attacker. You must also check the serial number "or other device characteristics to verify it has not been swapped with a fraudulent device" and you have to maintain a policy/training system to make sure that your employees know how to conduct all of this too.
Following the guidelines written in requirement 9.9, let’s imagine an hypothetical step-by-step process for recurrently auditing devices.
The previous paragraph covers what, here at Advantio, we call “standard auditing process”. An approach that can work for many Merchants and Service Providers, but may not be right for others. This is why we have created ZeroRisk PINpoint keeping in mind the possibility to let each company personalize the process.
ZeroRisk PINpoint is adaptable, easy-to-use and a cost effective way to conduct the PoS inspection (or auditing) process.
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA