If you are a merchant with a brick and mortar store, then the chances are quite high that your outlet has a standalone dial-out terminal. A standalone dial-out terminal is an electronic point-of-sale (POS) device where your customers can insert their payment cards to pay for goods.

This terminal may be a PIN entry device (PED) with chip and PIN or it may allow them to swipe their credit or debit card. Usually you need to have a PIN if your card has a chip while your signature on the paper receipt is enough if the card is swiped only.

The 'dial-out' part of the name comes from the fact that this device is connected to a phone line.

What are the Cyber Security risks related to the use of Standalone Dial-Out Terminals?

Dial-out terminals are incredibly popular among merchants because they are fairly easy to set up (they just need to be connected to a landline) and they allow customers to quickly pay using their payment card and avoid using cash (this applies to any type of card-reading devices and terminals).

However, the use of these devices also makes them a prime target for hackers and malicious people who would like to use those machines to access the cardholder data that pass through your company's machines each and every day.

A dial-out terminal uses a phone line, which means that it works based on a point to point communication. This means that the data transmitted by the terminal is less prone to interception but it also means that most of the risks come from the physical element of the terminal rather than the network. This is why it’s important to keep your devices under constant control.

For example, it's important to consider where you purchased the terminal and if the terminal that you are buying has been used or not. If it has been used or if the seller isn't completely trustworthy or reputable, there is the risk that the device has been tampered with to provide customer data to malicious people.

Speaking of tampering, there's the genuine concern that someone could fit a card 'skimmer' onto your device. Card skimmers skim the information from the magnetic strip of a card, which the person behind the card skimmer can then use to make a fake/cloned card which they can then use to access the original cardholder's account.

Furthermore, malicious people may tamper with your device and fit it with software that can access your customers’ data. It is vital that your terminal is physically secure and that your employees stay aware of possible mistreatment.

How can you prevent those risks?

These are considerable risks that, if left unchecked or unanswered for, could cause serious problems for you and your customers. But, there are methods of preventing them.

One thing you can do to ensure that your standalone dial-out terminal is secure is to fill out one of the available SAQs, the set of self-assessment questionnaires put together by the PCI SSC (Payment Card Industry Security Standard Council). The PCI SSC is a group made up of leading cardholder companies (such as Visa and MasterCard), and there are different questionnaires for each type of business set up.

In your case, as a business owner with a standalone dial-out terminal, you will need to look at SAQ B. The questionnaire has a list of requirements that allow you to figure out what you need to do in order keep your terminal protected. PCI DSS Requirement 9.9 requires that "devices that capture payment card data via direct physical interaction with the card protected against tampering". It also asks if your terminal is "periodically inspected" and if your employees are aware of your policies for doing this.

Choose an easy-to-use and cost effective solution to comply with PCI DSS Requirement 9.9

It is vital for the security of your business to understand that carrying out the necessary requirements of PCI DSS Requirement 9.9 and filling out SAQ B (Self-Assessment Questionnaire B) may be difficult and time-consuming, which is why Advantio's team has developed the mobile app called ZeroRisk PINpoint and is working on creating ZeroRisk PCI Portal for Merchants.

ZeroRisk PINpoint allows you to keep track of any changes with your terminal and it also provides easy-to-understand status reports that you can share with other employees. Click below to find out more about this product and its costs. 

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.