Pinpad Security; Introduction - VeriFone MX 880 Installation Manual

A 1
PPENDIX
PINpad Security Best Practices

Introduction

The payment industry and card associations adopted PED and PCI PED
requirements because of concerns that sophisticated criminal organizations may
have the resources to tamper with PED terminals to install a bug and collect
private card data. In pre-PED devices, security features were left to each vendor
to determine. The more recently adopted Visa PED and PCI PED requirements
provide standardized security features that make tampering progressively more
difficult.
We are seeing an increase in criminal organizations targeting the less secure pre-
PED terminals by installing bugs to collect private credit card and debit
information. In these cases, the criminal organizations are inserting a bug into an
in-place device or obtaining the same terminal model that a retailer uses, installing
a bug, and then substituting the tampered device for the retailer's terminals. They
then either come back to retrieve these terminals to obtain the stolen information,
or in some cases, the tampered terminals send the information to another
computer via wireless communications.
Due to repeated targeting of pre-PED PINpads and payment terminals, VeriFone
has developed the following PINpad Security Best Practices. These best practices
first enable a retailer to determine if any existing terminals have been tampered
with, and second make tampering much more difficult by implementing a
comprehensive set of security controls to prevent tampering and more quickly
become aware if tampering has occurred.
This appendix details the PINpad Security Best Practices from a sound security
perspective to minimize fraud through education, routine inspection, vendor
management, and prompt action. Each of the Best Practices are organized into
the following categories:
Administrative Activities – This category covers items that include employee
education on data security theft, and common prevention activities.
Physical Activities – This category includes items involving physical inspection
of payment system components.
Technical Activities – This category addressed data encryption and serial
number validation with the POS.
VeriFone recommends all retailers implement the following PINpad Security Best
Practices immediately. If a retailer does not enact a complete PINpad security
program, including PINpad Security Best Practices, then they will remain
vulnerable to this kind of tampering.
27
MX 800 S I G
ERIES NSTALLATION UIDE