Protecting Your Swipe Devices from Illegal Tampering
The threat of Point of Sale (POS) terminal tampering is serious and worldwide. Every day criminals install skimmers, KeyKatchers, and other devices which grab cardholder data. The cardholder data is used to create cloned cards or to break into bank accounts to steal money.
To help anticipate threats and to keep your POS devices safe from criminals, OPUL has provided the following information, tips, and checklist. Please note that this is not a comprehensive listing of threats but includes discussion on common threats.
Point of Sale Device Protection - Watch your POS (CLOVER/OPUL) Equipment
- Examine your POS device that accepts credit and debit cards, look for anything abnormal. Examples-Skimmers, KeyKatchers, missing or broken seals, damage to the device, damage to external cable or broken port or other materials that could mask damage or tampering.
- It is suggested to inspect your POS device periodically (i.e., weekly, monthly). A few items to check for:
- Is the POS device in its designated location?
- Are the POS device’s manufacturer name, model and serial number correct?
- Is the color and condition of the POS device as expected with no additional marks, or scratches, especially around the seams of the terminal window display?
- Are the manufacturer’s security seals and labels present with no signs of peeling or tampering?
- Is the number of connections to the POS device as expected, with the same type of color of cables, and with no loose wires or broken connector?
Physical Security - Safeguard Your POS Equipment and Surrounding Areas
- All POS devices should be locked up in a secure area at the end of each business day to prevent any unauthorized removal attempts from your sub-merchant location.
- Check your POS environment for hidden cameras or recording devices. Sub-merchants should:
- Verify there are no additional or unauthorized displays where a camera could be hidden. Examples-adjacent walls, plaques or signs, brochure containers or personal items.
- Inspect the ceiling area above the POS device
Train your staff on POS Equipment Tampering Prevention
- Sub-merchants to train staff accordingly. It will be the responsibility of the POS custodian to train any new employees in their area to recognize signs of equipment tampering before they can process credit or debit cards.
- Control POS device access by service support representatives. Allow only validated and authorized service personnel to access POS devices. Unauthorized or unexpected individuals should not be allowed access to the POS device.
- OPUL and device provider (Fiserv) will work directly with the POS custodian in your department on all equipment issues.
- Any third-party persons claiming to be repair or maintenance personnel are prohibited from gaining access to your POS device. Report any personnel attempting to gain access to your POS device to OPUL. Do not accept any replacement POS devices from third-party personnel or company.
- Ensure that only authorized support personnel are escorted and monitored at all times while attending the equipment.
What to Do In the Event of POS Tampering
If you believe your sub-merchant operation has been subject to device tampering or for any device related questions, please contact OPUL Customer Support at (925) 678-5377 for next steps.
Cardholder Data Security (PCI)
As a sub-merchant accepting payment by credit and debit card you have an obligation to safeguard patient cardholder data. Cardholder data is any information contained on a patient or customer payment card. The data is printed on either side of the card, is contained in digital format on the magnetic stripe embedded in the backside of the card and in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization. In general, no payment card data should ever be stored by you unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. Only the PAN, expiration date, service code, or cardholder name may be stored, and sub-merchants must use technical precautions for safe storage. The matrix below shows basic “do’s” and “don’ts” for data storage security.
|
Cardholder Data Do’s |
Cardholder Data Don’ts |
|
Do understand where payment card data flows for the entire transaction process |
Do not store cardholder data unless it’s absolutely necessary |
|
Do verify that your payment card terminals comply with the PCI personal identification number (PIN) entry device (PED) security requirements |
Do not store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorization |
|
Do verify that your payment applications comply with the Payment Application Data Security Standard (PA-DSS) |
Do not have PED terminals print out personally identifiable payment card data; printouts should be truncated or masked |
|
Do retain (if you have a legitimate business need) cardholder data only if authorized, and ensure it’s protected |
Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops, tablets or phones |
|
Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals |
Do not locate servers or other payment card system storage devices outside of a locked, fully- secured and access-controlled room |
|
Do ensure that third parties who process your customers’ payment cards comply with PCI DSS, PED and/or PA-DSS as applicable. Have clear access and password protection policies |
Do not permit any unauthorized people to access stored cardholder data |
For a more detailed list of the rules applicable to you as a sub-merchant, please see https://www.pcisecuritystandards.org.
Refund Policy Disclosure
Refund policies are important to set patient and practice expectations and requirements vary from state to state. At a minimum, your refund policy should be posted so that it is clearly visible by the patient at the POS device. Refund policies should also be disclosed electronically on sign-up for services and in receipts. For local rules concerning refund policies, please consult your legal counsel. If you have any questions, please reach out to OPUL Support at (925) 678-5377 or hello@OPUL.com.
Glossary
Skimmer: A skimmer is a card reader that can be disguised to look like part of a machine. The skimmer attachment collects card numbers and PIN codes, which are then replicated into counterfeit cards.
KeyKatchers: KeyKatcher is a tool that can be plugged into device to secretly records everything that is typed on the keyboard.
Additional Resources
In partnership with Fiserv, below you will find Your Payments Acceptance Guide. This is an additional resource that covers the guidelines for processing transactions. It also has helpful tips for fraud prevention, how to reduce chargebacks and how to properly handle payments, refunds, and exchanges.
PROWEB-OPUL-001776
Comments
0 comments
Please sign in to leave a comment.