Physical Security Activities - VeriFone MX 900 Series Reference Manual

52
5. Make sure the password for device access is not the original default
6. Develop a response plan before you suspect you have had a breach.

Physical Security Activities

1. Have a visual inspection performed on every device to look for potential
2. If your terminal contains an electronic serial number, have the electronic
3. Store spare devices under lock and key to prevent unauthorized removal.
4. Only obtain PIN pads from a manufacturer or manufacturer's authorised
5. For similar reasons, have your PIN pads repaired at the manufacturer or
6. Review the physical installation of your PIN pads. By far, one of the most
password. If it is, have it changed, as default passwords become widely
known.
Identify the steps you need to take if you suspect a breach. Understand
what to do to isolate your payment systems, and prevent future sensitive
information loss. Have a list of who needs to be called including your
local law enforcement, your acquiring bank, your processor, your
security assessor and your payment system vendors. Make sure you have
clear assignments for who needs to do what after a suspected attack and
how you will respond.
signs of tampering. These include anything that does not look normal
such as lack of tamper seals, damaged or altered tamper seals,
mismatched keys, missing screws, incorrect keyboard overlays, external
wires, holes in the terminal or anything else unusual. If anything out of
the ordinary is noticed, stop using the device, disconnect it from the POS
or network, but do not power it down. Contact the security officer at the
manufacturer to determine the next steps. Continue to perform visual
inspections weekly.
serial number compared to the serial number printed on the bottom of
the terminal. If these do not match stop using the device, disconnect it
from the POS or network, but do not power it down. Contact the security
officer at the manufacturer to determine the next steps.
partner. Unauthorized sellers, such as those found on websites such as
eBay and Craig's List, may potentially sell devices that are already
compromised, whether intentionally or unwittingly.
an authorised manufacturer's repair centre.
effective solutions to deter theft is to physically tether your PIN pad to
the POS with a purpose designed high security lock.
MX 900 Series Reference Manual
September 14, 2012