Maybe you’ve seen the latest security scare video that’s making its way across the Internet. A group of men are shown installing a credit card skimmer over the entire PIN pad in under three seconds. This latest attack example reinforces the importance of new requirements that were introduced in PCI 3.0 requiring organizations to inventory and conduct periodic physical inspections of PIN pads. So, what can you do to identify these issues quickly?
Addressing a physical security problem like this one is extremely difficult, but there is one thing you can do right now. Raise awareness with your staff. Make sure they have seen this video (or at least understand how easy it is for malicious actors to attach a skimmer). Educate your cashiers and other employees that work closest to the PIN pads on how to identify that one of the devices has been tampered with. Ensure that they know how to report suspected tampering and that you have a process in place to respond quickly to reported incidents of PIN pad tampering.
Many of our physical security controls lean toward being reactive. For example, video cameras film crimes being committed, but most organizations don’t have the manpower to have someone watching every second of footage in real time and only perform spot checks, or worse, only review video once an issue has been confirmed. Considering that a skimming device can be installed in three tiny seconds, it would be extremely difficult to find if you are relying on purely reactive security measures.
It’s been my experience working with merchants on cardholder data security for the past decade that educating and empowering your staff will improve your security posture.