To understand if your devices have been tampered with, you need to understand what the device is expected to look like in its original state. This is where knowing about the types of devices you have becomes useful.
For each type of device, document what the expected “good state” of the device should be and what steps need to be checked by the person doing the regular inspections of the device. Examples of things that people should check for may include:
- Does it match the expected make, model, and serial number or other unique identifier?
- Is anything loose?
- Had anything been added that wasn’t there last time?
- Are there any unexpected scratches or marks that might be indicative of tampering?
It only takes seconds for someone to replace a device, but if your staff know what to look for and what to be aware of, this will help keep your devices secure.
Regular training is important for everyone, especially people who interact with customers on a daily basis since they’re the most likely to come into contact with cardholder data.
Understand how often staff change or leave roles to understand how often you need to do the training. Common things that training should cover include:
- How to check devices.
- What to do if someone wants to access the device (e.g. they ask to repair or replace it).
- What kinds of suspicious behaviour to look for.
- How to report anything that could be suspicious and who to report it to.
- What to do with lost cards to keep them secure.
How Often Should You Check Your Devices?
This depends a lot on where they are. For example, if your devices are unattended, you might want to check them more frequently. However, if your devices are attended, you might want to make sure that your staff do a quick check at the start of any shift and a more detailed check at a lower frequency. Whatever you decide is right for your business, make it easy for staff to know what to look for and record what they have seen!
The PCI SSC publishes lots of resources for small businesses and retailers. Some of these documents include:
Need More Help?
If you’re a merchant doing PCI, Confide can help regardless of your transaction level. Contact us to find out more.