In previous posts, I have commented that high volume retailers, food chains, and other high-velocity transaction points are less likely to experience compromises at POS devices. This is due to the increased attention and coverage at the POS devices in certain situations — where unattended payment terminals, lower volume locations, or locations where the employees must multi-task or are consistently drawn away from the POS devices. This often occurs in craft stores, convenience stores, and one-person retail operations. These situations are susceptive to this type of fraud since device swapping can occur without observation. I’ve also commented on self-checkout POS devices. Based on recent events, let’s add “chain of custody of PIN pads” to the list.
Cyber crime is at an all-time high. In last week’s news, bookseller Barnes & Noble reported that their credit card readers were compromised at approximately sixty locations, resulting in many of instances of account fraud. This attack was eerily similar to the one reported by Michael’slast year. The attack was carried out by individuals who were knowledgeable of the POS systems, and most likely another inside job. Barnes & Noble has since removed all of these card readers from all of their retail locations.
Credit/debit card skimmers are often some sort of device such as a computer board with memory chips that can read card data and track numbers entered into PIN pads. In Barnes & Noble’s case, the cardholder data was purportedly transmitted via bluetooth, most likely to ‘collector’ devices outside the store.
Covering your POS devices
As previously posted, the PCI Security Standards Council has created PIN entry device security standards, which require PIN pads to include technology that prevents tampering or makes tampering evident. Unfortunately, many companies do not have processes in place to ensure that employees are aware of how to check for tampering. In addition, fraudsters have learned to circumvent this control by completely swapping out the devices.
Even new technologies such as end-to-end encryption (which encrypts cardholder data at the swipe) and chip and PIN are not immune to this type of attack. For example, some fraudsters get around chip-enabled transactions by disabling the part of the POS device that reads the chip. This means customers are forced to swipe their card to make the transaction.
Get up to speed on reducing attacks
What can you do to help reduce the probability of unauthorized PIN pad swaps or the potential duration of such an attack? Here are some steps I’ve suggested previously with some fine tuning based on the latest trends:
1. Be prepared for social engineering attacks:
Do not trust anyone who just shows up to replace your card terminals. If you did not specifically ask to have a POS device repaired or replaced, there is a reasonable chance nefarious activity is afoot. Your acquiring bank, processor or POS/PIN pad maintainer should always notify you of any terminal replacement BEFORE they show up on site. In addition to being skeptical of any service person that appears out of nowhere to “fix” your terminals, do your homework to ensure that notifications for replacing your equipment are legitimate. You should provide periodic training to store personnel to keep them on the lookout for nefarious activities. This is critical – there is always a need to improve awareness and there is no cost associated with driving this communication to store personnel.
2. Be PCI compliant:
Retailers should adhere to the PCI Data Security Standard at all locations, including retail locations. In addition, retailers should ensure that their PIN entry devices adhere to the PCI standard. Compliance mandates that PIN pads be tamper-resistant, tamper-proof, and tamper-evident.
3. Be vigilant:
“Gone in 60 Seconds” is not only a movie, but also could be about how long it takes for an experienced criminal to swap out your PIN pad. What are you doing to make this endeavor more difficult for attackers.
4. Communicate with your POS and PIN pad vendor:
They will be up to speed on recent trends and potential nefarious activities. They may have knowledge about how thieves are able to compromise their equipment. Make sure that you are the one to drive these communications as many of these vendors may not have an established program in place to proactively reach out to their user base.
5. Implement daily processes to check for evidence of tampering or swapping:
Create daily checklists that have employees check for evidence of tampering and to verify inventory of POS devices. An inventory may include device type, location, and serial number. You may also consider using serialized security tape, decals or stickers on seam openings of card terminals or other detective controls. Make sure that your employees who perform the periodic checks know what to look for when searching for evidence of tampering! Because these processes are difficult to implement in a retail environment where store operations personnel have full plates and little inherent knowledge of these devices, retail needs special attention. To make things more challenging, when tampering takes place at the shipping depot/warehouse, store personnel are hard-pressed to detect tampering.
6. Have strong change management controls in place:
Any changes of POS equipment should go through the proper approval channels. When in doubt, always contact the centralized entity responsible for management of your POS systems. Sometimes this is store operations; sometimes it is your POS vendor; and sometimes it is an ISO or other third party.
7. Implement technical controls to prevent swapping (if possible):
Some POS systems may be configured to communicate with a unique/dedicated PIN pad. These systems may be configured to prevent a full PIN pad swap.
8. Assess the risks:
PCI requires that companies perform an annual risk assessment. Retailers should include a review of the POS environment as part of this risk assessment. Consider hiring a third-party organization to perform the security review. You might unveil a pattern in which employees are routinely leaving POS devices unattended and open to theft or tampering.
9. Have a plan:
Make sure your employees have a process to follow if they discover any evidence of tampering or swapping. This may include an email/phone call to your security team, to your acquiring bank and/or to whoever is responsible for maintaining POS systems and PIN pads. This should be part of your current Incident Response plan. Remember to test this plan regularly!
10. Refine technical controls for better monitoring:
If your POS terminals are on your network, monitor your terminals for disconnections. You may also be able to monitor if a PIN pad is disconnected from a POS terminal. Create alerts when these types of activities occur (of course, this will only work for organizations that have event management in place and that rarely disconnect POS terminals). This way, any such alert would be an indication that something abnormal has occurred and should be investigated.
11. What happens after-hours?
If you have a night crew for janitorial services or inventory control and restocking, make sure that you have controls in place to protect and monitor your POS systems. This includes anything from employment pre-screening (if they are employees), reading/acknowledging a policy that forbids use of or tampering with PIN pads, supervision of the crew, and/or morning-after checklists. If the night crew is contracted, make sure that your contract protects you from nefarious night crew activities.
12. Chain of custody:
Based on the pattern we’ve seen in recent breaches, you should be more vigilant in keeping a close eye on the chain of custody of your PIN pads, from your lab to your shipping room to your loading doc.
13. ATMs and kiosks:
Many people think that devices like ATMs and Kiosks are “super secure” because they are boxed and locked. In reality, they are just as exposed as any other device if proper controls are not in place. Any entity that has these devices in their environment should include them in their ongoing monitoring plan.
Improving your security posture is an incremental exercise. An ounce of prevention is worth a pound of cure. Determine which of these tips will work best for your organization. The more you can do to proactively protect your POS environment, the better chance you have to minimize risk.