Point of sale (PoS), PIN Entry Devices (PED), Standalone Dial-Out terminals - and similar type of devices - are a prime target for attackers who want to gain illegal access to the cardholder data provided by paying customers, which is why it's so important to keep each and every one of them protected.

It is a major point of the PCI DSS (Payment Card Industry Data Security Standard) to protect payment card reading devices, since requirement 9.9 is not a best practice anymore, starting from the 1st of July 2015. This requirement states that in order to be PCI compliant, organisations that accept card present type of payments must "protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution."

Whether you're a small or micro business or a large company with several thousands of terminals in thousands of branches, you must protect your terminals and report about their compliance. The problem is that following requirement 9.9 and all of its sub-requirements can often be a long and strenuous task as you have to be very well organized.

A good and regular PoS inspection helps you avoid tampering and data loss.

PCI compliance, for organisation that accept card-present type of payments, involves inspecting point of sale terminals regularly. We may call the PoS inspection process "auditing", and it’s a task that you need to complete in order to discover if any of your devices has been tampered with.

The first task to complete before auditing PoS devices is keeping an up-to-date list of them (as described in PCI DSS requirement 9.9.1). This list should include all the information available about each terminal:

  • Make (manufacturer) and model.
  • Device's serial number or "other method of unique identification".
  • Location of each device (for example, the address of the site or facility where the device is located).
  • Specific location within the environment (for example, explain whether the device is placed next to a particular counter, on the bar or it moves around together with its carrier).

You must also "interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned, etc." and "select a sample of devices from the list and observe devices and device locations to verify that the list is accurate and up to date."

The following, tedious, step to take once a device is in your list, is the auditing process, which consists in "periodically inspect device surfaces to detect tampering". This means that you have to check each device for things such as card skimmers and other unauthorised components that may have been added to the point of sale terminal by a malicious attacker. You must also check the serial number "or other device characteristics to verify it has not been swapped with a fraudulent device" and you have to maintain a policy/training system to make sure that your employees know how to conduct all of this too.

Make sure you plan your auditing steps very carefully.

Following the guidelines written in requirement 9.9, let’s imagine an hypothetical step-by-step process for recurrently auditing devices.

  • Track Device Software. First of all, it is extremely important to regularly check and keep track of the software version that the point of sale terminal is using as this allows to verify the patching process and analyse the alignment of the device in use. A change of the software in use may very well be a cause of data loss, so it is extremely important to keep track of this information.
  • Inspect Stickers. It's not uncommon for point of sale devices to have stickers on them; stickers which have been put there to clearly outline important information about the device. This information may be a bar code, a serial number or it may inform about the device's tampering protection mechanisms. It is key to inspect each device and report about the status of stickers: damaged stickers are a potential proof of tampering.
  • Take Photos. In order to provide evidence that the device has indeed been inspected, you should consider taking photos of the audited device. Photos of the device should be taken from several angles is the best method to keep it under control. Thanks to a visual comparison of photos taken in the past, it will be possible to spot signs of tampering or confirm the integrity of the terminal.
  • Check Physical Connection. Each devices comes with a particular type of cable. The PoS user should keep this detail under control and make sure that no new cables are connected to the device without authorisation. Cable inspection must be a key step of the terminals’ auditing process.
  • Visual Tampering Check. To complete the PoS device audit you must inspect the device on all sides in order to find any evidence of tampering. Sometimes this evidence may present itself as an extra component (for example, a card skimmer over the card slot or something on the keypad) but you should be thorough here, also looking at the visible screws of the device and its plastic cover in order to verify the integrity of the audited device. This step of the audit should include any observations concerning the device's physical integrity that are not covered by the previous steps.

Each entity should build its own auditing process.

The previous paragraph covers what, here at Advantio, we call “standard auditing process”. An approach that can work for many Merchants and Service Providers, but may not be right for others. This is why we have created ZeroRisk PINpoint keeping in mind the possibility to let each company personalize the process.

  • If your organisation uses a few different makes and models of PoS devices then they most probably need multiple auditing processes.
  • Each organisation creates its own compliance programs, each program detailing the level of data that needs to get from the auditing process.
  • A company’s security awareness program can affect how an auditing process is put together as employees with little security knowledge will need a more complex auditing process to support them and those employees who are well-versed when it comes to cyber security will need an auditing process that is far simpler.
  • 24/7 companies are exposed to security risks more than those retailers that are open only few days a week, for a few hours. Let’s think of supermarkets, hotels, gas stations and other business that usually have a large number of employees and continuous shifts. These organisations might want to inspect their terminals more frequently than others.

ZeroRisk PINpoint is adaptable, easy-to-use and a cost effective way to conduct the PoS inspection (or auditing) process.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA