PCI DSS – How to protect payment terminal at the point of sale

Secure payment transactions

Whether online, mobile or at the point of sale, security is and remains one of the most important factors in the payment process. Thanks to recent developments, such as EMC chip technology (chip & pin), the risk of card misuse has been effectively reduced in recent years. But while the use of the cards is supposedly safer, a trend can be observed at the point of sale that disturbs merchants - physical attacks and manipulations of stationary payment terminals are increasing. We would like to show you how such manipulations look and what measures you can protect.

POS skimming

In order to manipulate card reading devices, fraudsters work with overlay skimmers. An overlay skimmer is a plastic cover, similar to the actual input surface of a terminal - including the keypad and card slot.

If a terminal covered by these devices, fraudsters can reach all the important data of a paying customer without further effort. In detail, the process is as follows: a customer inserts his card through the manipulated card slot and then enters his PIN via the manipulated keypad. If card numbers and PIN are read by skimmer, they are transmitted via Bluetooth to a smartphone.

What does a credit card skimmer look like?

What should you look out for? Skimmers make the terminal look bulkier. The keys are also an important indicator. If these are difficult to press, the device should be immediately checked and temporarily withdrawn from circulation.

Practical tips on POS security

In order to enable you to operate your stationery business even more securely, we have compiled and listed four practical tips for terminal security:

• Never give your terminal to a foreign person. Even if this is presented as maintenance personnel, please do not leave the terminal without consulting your payment service provider. To avoid surprises, technician visits should always be confirmed with your PSP.
• In principle, there is no prescribed frequency to which your terminal must checked, but we recommend a daily check. Check your terminal at least superficially for tampering or attempted tampering. If you discover traces of manipulation or other abnormalities, you should immediately inform the police and the corresponding payment provider.
• If there is a suspicion of a break-in, you should immediately inform the police as well as your payment provider (regardless of the severity of the burglary). To avoid any risk for tampering, you should have all terminals exchanged.
• If there is an acute suspicion of manipulation, you have the option of using your own mobile device to locate "foreign" sources (Bluetooth, WLAN). Also check the LAN cable of your POS terminal. If you notice any irregularities, please inform the police as well as your payment service provider.

PCI DSS requirement for point of sale

What does PCI stand for?

PCI (also referred to as PCI-DSS) means payment card industry data security standard and represents a set of rules in the field of payment transactions. This regulation refers to the process of credit card transactions. It is supported by the important credit card organizations and observed for customer safety. Service providers and merchants using credit card transactions must adhere to the PCI standard. If this is not the case, penal charges and restrictions can be imposed, which may lead to the prohibition of the acceptance of credit cards. The set of rules includes twelve requirements that companies must meet.

Learn more about the PCI guidelines.

New PCI DSS regulations

Since July 1, 2015, it is also mandatory to adhere to PCI DSS Requirement 9.9 to maintain PCI DSS Compliance status. If the POS devices are not protected, the dealer runs the risk of not being able to offer any card payments. The requirement 9.9 deals with the physical security of the cardholder data and the prevention of criminal attacks. Crime involving cardholder data are not solely committed by hackers. The physical theft of hardware that includes this data and criminal manipulations also play a role. In this case, the subpoint "Protect card-reading devices and terminals, used to capture cardholder data" applies. All merchants using POS devices and POS terminals to accept card payments must comply with the latest PCI DSS regulations (currently PCI DSS 3.2, published in April 2016).

1. Maintaining Terminals/Devices

From the first use, the physical security of the card readers must be checked continuously. When working with a single device, this is a straightforward task. However, when working with many devices, ongoing monitoring is essential to ensure the safety efficiently. The exact location of the terminal, as well as all important information about the device (e.g. model, serial number or other device-specific details) must be noted. If changes occur, for example the location, they should be noted immediately.

2. Regular control of the terminals/devices for manipulations und substitutions

Regular inspections can prevent manipulations and substitutions. For this purpose, the specific control mechanisms for the devices must be precisely defined and documented. However, PCI DSS 9.9 does not specify the frequency of the checks. This is in the hands of the dealer and depends on the risk profile of the respective devices. The risk profile is made up of the type of device, location and monitoring. The dealer is sole responsible for the test frequency.

3. Staff training

All employees should be trained to effectively examine card readers for substitution or manipulation. In principle, the company should be prepared for all eventualities. Criminals can use counterfeit devices that are specially designed for data theft to companies, or they can even present themselves as authorized maintenance personnel, thus reaching the sensitive data. It is therefore important to build a strong sense of security through regular staff training. These training sessions should be recorded and logged by the company.

Increase POS security through encryption and testing

If the data sets are perfectly encrypted, no matter how much energy and resources hackers put into the creation of new POS malware - their theft remains encrypted. According to experts, end-to-end encryption would be the most effective means of protecting sensitive data. Using this, the customer data remains encrypted during the entire payment process. In addition, POS systems should be regularly tested and verified for weaknesses so that they are always up-to-date.