21. Terminal Security
PCI-PTS compliance
The Payment Card Industry PIN Transaction Security (PCI PTS) is a security standard that applies to all PIN entry based
payment terminals and other hardware that manage PIN codes. Nets will always deliver PCI PTS approved payment
terminals at the time of delivery.
Guidance for PIN entry
The PCI Security Standards Council specifies International Standard ISO9564 for protection against fraudulent ob-
servation of the PIN during PIN entry. To comply with this standard, the terminal may be supplied with either a factory
fitted privacy shield, or as a privacy shield accessory (to be fitted by merchant before use). If you require a privacy shield
and one has not been supplied, please contact your Nets helpdesk for assistance.
If the payment terminal from Nets is delivered without a factory fitted privacy shield or as privacy shield acces sory in
the box, then the terminal must be operated as a handheld device, meaning that cardholder must be advised by mer-
chant to:
•
Hold the device in hand during PIN entry
•
Keep at distance from others during PIN entry
•
Use his/her body or hand to block the view of the keypad during PIN entry
•
Ensure that no video cameras or other surveillance are directed towards the keypad during PIN entry
Additionally, the merchant shall advise the card-holder of any suspicious behavior exhibited from others before or
during PIN entry.
Periodical inspection of terminals
The ultimate responsibility for the protection of card-holder data, within a merchant's equipment, lies with the merchant.
We advise merchants to focus on proper implementation of the core PCI DSS 9.9 requirement that came into effect
from June 30, 2015 where the intention is to ensure that merchants are better prepared for skimming attacks.
In line with PCI 'best practice' for skimming prevention (https://www.pcisecuritystandards.org/documents/ Skimming_
Prevention_At-a-Glance_Sept2014.pdf), Nets highly recommends that the merchant:
•
Upon receipt of a new terminal, and on a regular basis, checks the terminal(s) for any signs of obvious tampering
(e.g. broken seals over access cover plates or screws, odd/different cabling, or unknown/suspicious features
•
Keeps a detailed list of all terminal(s) on location with pictures for comparison on a regular basis
•
Keeps the terminal(s) out of customer's reach - both during opening- and closing hours
•
Never accept delivery or installation of a new terminal from any unauthorized Nets personnel
•
Only allows privileged access to the terminal(s) to independently verified and trustworthy personnel
•
Calls Nets help desk immediately if in doubt of the terminal(s) integrity!
User Guide Payment terminals | 47