POS terminal security: Best practices for point of sale environments

Tampering and skimming threats for the acquirers, merchants and processors of card data are on the rise. Acquirers, merchants and processors should work proactively towards increasing point of sale (POS) terminal security to mitigate such threats.

Skimming is the transmitting of electronic data from a customer’s credit or debit card account to another source for fraudulent purposes. Your customers may use a chip card or a magnetic stripe card. Some of these require that cardholders sign a sales voucher to confirm the sale. Others require that customers enter their PIN at the terminal. Criminals will try and place electronic equipment into the terminal or intercept the data communication path, in order to capture card data. If successful, this allows them to create false cards and perform fraudulent transactions.

Here are some examples to illustrate tampering and skimming:

• POS terminals seldom have security stickers. Elsewhere, company stickers may be placed over screw holes to detect tampering. Criminals may remove these labels when compromising terminals, and replace it with their versions.
• Skimming devices concealed within POS terminals are invisible to merchant staff and cardholders.
• Use of key loggers to record key strokes.
• Criminal(s) enter the merchant location pretending to be service engineer(s).

Best practice security guidelines

Physical Location

Physical location has a considerable higher impact of you being targeted by criminals. These miscreants want high returns in terms of the number of captured credit and debit card details, in the shortest time. They want low risks of being caught, or of detection of the compromise.

Criminals typically target isolated merchant locations situated near, or at, busy junctions to major highways. Locations that are open extended hours are especially attractive, since few staff members are on duty.

Change of location is not feasible for merchants. So it’s important to understand the risks associated with your particular physical location and implement other guidelines for protection from attacks.

Terminal environment

Improvements in terminal security mean that compromises take longer time. However, due to the range and type of POS terminals in use, criminals can target merchant locations with ‘older’ and ‘weaker’ terminals.

To insert skimming devices, it’s often necessary to take away POS terminals or swap existing terminals with compromised terminals. If your POS terminal is located at, or near the entrance to your store, consider providing additional security to prevent removal. For example, you could lock it in a stand permanently attached to a cash desk or sales counter.

Digital technology has resulted in smaller cameras. Criminals may hide cameras in imaginative ways, so their presence may not be obvious.

Staff

Speaking to staff members in relation to criminal activity is a sensitive topic. While we all consider our employees to be loyal, hardworking, and trustworthy, be aware that they are at risk from organized criminal gangs.

Be cautious if:

• Employees seem scared to answer questions or appear nervous. Be careful if they don’t want to conduct regular checks of POS terminals.

• High-risk merchants should perform regular checks of all POS terminals—the surrounding environment must be part of daily routine.
• Maintain precise records of staff attendance, including any last minute changes. Keep these records for at least six months.
• Educate staff to be conscious of the types of attacks and associated risks.

Surveillance cameras

Surveillance cameras provide a deterrent to criminals. It’s essential to keep such recordings for at least three months. Duty staff should not have access to surveillance cameras, past/present recordings and control equipment. Position surveillance cameras so that they record the area around the POS-PED device without recording entered PIN numbers.

Service personnel

When it’s necessary to call a service engineer, clearly agree on the time and date. Try and confirm the service engineer’s name.

If a service engineer (or a person claiming to be a service engineer) arrives unannounced at your merchant location, don’t allow access until you have verified his/her credentials. This must include contacting the vendor or service company to confirm their identity. All work undertaken by the service engineer must be written down in a report (retain it for at least six months).

Terminal connectivity

Modern terminals use a range of connectivity methods. Be aware that certain parts of transaction data are transmitted in clear text format. Since this data can be targeted by criminals, staff should understand and record all connections to the terminal. Note the entire cable path from the terminal to the point where it leaves your merchant location.

Wireless connectivity

Wireless connectivity permits terminals to be independent of cash counters. For example, the terminal can be taken to a table in a restaurant to allow customers to pay their bill without losing sight of their payment card. A criminal can easily steal, modify and return such a terminal without anyone realizing its absence. Track the number of terminals utilized each day, and devise a method to quickly identify who has the terminal at any particular time.

Bluetooth and Wi-Fi enabled Terminals

The terminal types mentioned above are usually either ‘Bluetooth’ or ‘Wi-Fi’ enabled. Although designed to operate over short ranges, criminals can intercept Bluetooth and Wi-Fi signals over significant distances—certainly beyond your merchant location’s walls. So enable the terminal’s security functions—apply all security updates and patches where necessary.

GPRS enabled terminals

Certain terminals connect to their host system via the GPRS (cellular phone) network. This allows merchants who are not at fixed locations (like at music concerts or festivals) to accept credit and debit card payments. Since there’s no fixed location, the merchant is responsible for ensuring the terminal’s integrity and security. Store such POS terminals securely when they are not in use.

Data security

Cybercrime is growing in diversity and sophistication—criminals are increasingly targeting merchant systems to obtain credit and debit card details. So understand how your systems work, and identify all possible points in the chain that could store data.

Often, merchants are not aware that sensitive data is stored in their systems. Therefore, merchants must adopt and follow the Payment Card Industry Data Security Standard (PCI-DSS) process and requirements.

To overcome POS terminal weakness and possibility of POS tampering, the steps that can be taken by acquirers, merchant and processors are:

• POS equipment protection: Keep a watchful eye on POS Equipment 

•Physical security: Safeguard POS equipment and surrounding areas

• Staff communication and education: Train your employees on POS equipment tampering prevention

• Prevent or deter criminal attacks against POS terminals used at their location

• Recognize compromised terminals as soon as possible to minimize a successful attack’s impact

About the authors:

Shobitha Hariharan is the CISO at Shoppers Stop. Her achievements include being able to revamp Shoppers Stop’s information security posture within a short period of six months. Shobitha has a legal and accounting background. You can read her complete profile on our CISO Power List for 2012, here.

Nitin Bhatnagar is the Global Head - Business Development and Marketing - Information Security  (CEMEA and USA), with SISA Information Security Pvt. Ltd. Nitin holds a master’s degree in information security from Indian Institute of Information Security –Allahabad and has over five years of experience in information security. He is currently appointed on the National Security Database Technology Advisory Committee (NSD-TAC). He can be reached at [email protected]. All views in this article are the author's own.