Verifone Tampering Training
Training Material: Checking POI Terminals for Tampering
Introduction
Point of Interaction (POI) terminals, such as payment card readers and ATMs, are critical components in payment processing. Ensuring these devices are secure from tampering is essential to protect cardholder data and maintain PCI DSS compliance. This guide provides a step-by-step process for detecting tampering.
Overview of PCI DSS Requirements
The Payment Card Industry Data Security Standard (PCI DSS) sets forth requirements to protect cardholder data. For POI terminals, key requirements related to tampering include:
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 9: Restrict physical access to cardholder data.
Requirement 11: Regularly test security systems and processes.
Understanding Tampering
Tampering involves unauthorized alterations to hardware or software that can compromise data security. Common forms include:
- Skimming Devices: Devices placed over card readers to capture card information.
- Overlay Devices: Devices installed over keypads or screens to capture PINs or card details.
- Physical Alterations: Modifications to the terminal casing or internal components.
Inspection Procedure
A. Visual Inspection
1. Check for Tamper-Evident Seals
- Look for manufacturer or authorized service provider seals. These should be intact and show no signs of tampering.
- Verify that any tamper-evident labels are not broken or disturbed.
2. Inspect the Terminal Exterior
- Examine the casing for unusual scratches, dents, or other signs of forced entry.
- Ensure that all screws and fastenings are securely in place and have not been tampered with.
3. Check the Card Reader and Keypad
- Inspect the card reader slot and keypad for any overlay devices or suspicious attachments.
- Ensure there are no gaps between components that might indicate tampering.
B. Functional Testing
1. Check Device Operation
- Verify that the keypad and display function as expected without any anomalies.
2. Run Diagnostic Tests
- Utilize built-in diagnostic tools or follow manufacturer recommendations to ensure no unauthorized software is running.
Reporting and Documentation
A. Document Findings
- Record any signs of tampering or anomalies.
B. Report Issues
- Immediately report any suspicious findings to the appropriate security team.
- Follow MTE procedures for escalating potential security breaches.
C. Update Records
- Keep detailed records of inspections, including dates, findings, and any actions taken.
Conclusion
Regular and thorough inspections of POI terminals are crucial for detecting tampering and ensuring compliance with PCI DSS requirements. By following this guide, you can help protect sensitive cardholder information and maintain a secure payment environment. Always stay vigilant and report any irregularities promptly.
Revision History
Version
Description
Date
Author
Title
1.0
Initial Documentation
08/15/2024
Jonathan Powell
Sr. Security Analyst