Merchants with EFTPOS terminals have a set of requirements specific to card-present transaction security. That’s because card-skimming can happen anywhere, and it even happens in New Zealand! In this article, we want to help you understand how to protect the devices that your customers interact with to pay you.
Know Your Devices
PCI requires that you keep an inventory of all your devices that includes:
- Manufacturer, make, and model
- Physical location
- Unique identifier (such as the serial number)
This basic information helps you understand what should be in your environment and provides you with the foundation to be able to know when there is something that doesn’t belong.
Secure Your Devices
Once you know what devices are in your store(s), the next thing to do is to take steps to secure the devices. This can be done through physical security controls or monitoring. Some examples of ways you can secure your devices include:
- Making sure it is difficult to swap or remove cables by enclosing them away from customers.
- Physically or logically locking down any network ports that the device plugs into.
- Monitoring for tampering via CCTV (be careful that you aren’t accidentally collecting card numbers or PINs on your video)
- Regularly checking devices for tampering.
Teach Your Staff
Your sales staff are the most important part of making sure that terminals are secured. But they can’t do this unless they understand how to tell if terminals have been tampered with. A terminal can be replaced faster than you think!
To understand if your devices have been tampered with, you need to understand what the device is expected to look like in its original state. This is where knowing about the types of devices you have becomes useful.
For each type of device, document what the expected “good state” of the device should be and what steps need to be checked by the person doing the regular inspections of the device. Examples of things that people should check for may include:
- Does it match the expected make, model, and serial number or other unique identifier?
- Is anything loose?
- Had anything been added that wasn’t there last time?
- Are there any unexpected scratches or marks that might be indicative of tampering?
It only takes seconds for someone to replace a device, but if your staff know what to look for and what to be aware of, this will help keep your devices secure.
Regular training is important for everyone, especially people who interact with customers on a daily basis since they’re the most likely to come into contact with cardholder data.
Understand how often staff change or leave roles to understand how often you need to do the training. Common things that training should cover include:
- How to check devices.
- What to do if someone wants to access the device (e.g. they ask to repair or replace it).
- What kinds of suspicious behaviour to look for.
- How to report anything that could be suspicious and who to report it to.
- What to do with lost cards to keep them secure.
How Often Should You Check Your Devices?
This depends a lot on where they are. For example, if your devices are unattended, you might want to check them more frequently. However, if your devices are attended, you might want to make sure that your staff do a quick check at the start of any shift and a more detailed check at a lower frequency. Whatever you decide is right for your business, make it easy for staff to know what to look for and record what they have seen!
The PCI SSC publishes lots of resources for small businesses and retailers. Some of these documents include: