inspection manual for payment card-reading devices reader...inspection manual for payment...
TRANSCRIPT
Inspection Manual for Payment Card-Reading Devices
1 | P a g e
As outlined in the Payment Card Industry (PCI) Data Security Standard, v3.1 document,
criminals can illegally obtain cardholder data by stealing and/or tampering with the card-
reading devices themselves.
“Criminals attempt to steal cardholder data by stealing and/or manipulating card-
reading devices and terminals. For example, they will try to steal devices so they
can learn how to break into them, and they often try to replace legitimate devices
with fraudulent devices that send them payment card information every time a
card is entered. Criminals will also try to add “skimming” components to the
outside of devices, which are designed to capture payment card details before
they even enter the device – for example, by attaching an additional card reader
on top of the legitimate card reader so that the payment card details are captured
twice: once by the criminal’s component and then by the device’s legitimate
component. In this way, transactions may still be completed without interruption
while the criminal is “skimming” the payment card information during the
process.” – Section 9.9 of the PCI DSS v3.1
Protection of our cardholder data at the store level involves routinely inspecting the
devices that capture payment card data via direct physical interaction with the card. These
physical inspections will aid in the early detection of tampering or replacement of a
device, and thereby minimize the potential impact of using fraudulent devices.
The two types of physical inspections:
Mandatory physical inspections performed by the LP/OPs Manager. These will take place
quarterly and will be documented using a physical inspection log. These inspection logs
will be used as evidence in our effort to remain PCI compliant. (9.9.2)
Best practices physical inspections performed by Cashier. These will take place at the
beginning of a shift, after leaving cash station unattended for an extended length of time
or after witnessing unusual or suspicious behavior around cash station and CTT device.
Identify which of the following card-reading devices are utilized in your location:
o ingenico – model iSC250 page 2
o ingenico – model i6780 page 5 - (to be phased out during 2016)
o Equinox – model L5300 page 8
o Verifone – model FD-55 page 11 – (used by Home Services)
o Verifone – model FD130 page 13 – (used by Home Services)
Inspection Manual for Payment Card-Reading Devices
2 | P a g e
ingenico Model iSC250
Compare the card-reading device to the
photos below to determine if there has
been any change from its original
appearance:
Inspect key pad for
residual stickiness
from over lay or if an
over lay is applied
Inspect card swipe for
any modifications or
addition parts or signs
of abnormalities
Make sure Serial
Number is readable
Inspect all cables for
any add-ons.
Make sure there are
not any tap devices.
Inspection Manual for Payment Card-Reading Devices
3 | P a g e
Inspect EMV card slot for any
modifications or addition hardware
Inspect all cables for
any add-ons.
Make sure there are
not any tap devices.
Visually inspect for
tampering along ALL
seam lines to see if
someone has tried to
pry the unit open.
Inspection Manual for Payment Card-Reading Devices
4 | P a g e
LP/Ops Manager - Physical Inspection Log:
o Complete additional check points
If a CTT device shows signs of normal wear and tear and replacement of the
device is warranted, please follow the normal replacement process outlined by
your business unit.
Criminals and vandals have and will attempt to sabotage credit card readers for
their own personal gain. This includes but is not limited to replacing the credit card
magnetic reader, replacing the whole unit, or adding additional hardware. If it
looks like the credit card device was tampered with in any way please follow the
instructions on page 15.
Inspection Manual for Payment Card-Reading Devices
5 | P a g e
ingenico Model i6780* *To be phased out during 2016
Compare the card-reading device to the
photos below to determine if there has
been any change from its original
appearance:
Inspect key pad for
residual stickiness
from over lay or if an
over lay is applied
Inspect card swipe for
any modifications or
addition parts or signs
of abnormalities
Make sure Serial
Number is readable
Inspection Manual for Payment Card-Reading Devices
6 | P a g e
If the Privacy Guard is removed
or broken replace it.
Inspect EMV card slot for any
modifications or addition hardware
Visually inspect
for tampering
along ALL seam
lines to see if
someone has tried
to pry the unit
open.
Inspection Manual for Payment Card-Reading Devices
7 | P a g e
LP/Ops Manager - Physical Inspection Log:
o Complete additional check points
If a CTT device shows signs of normal wear and tear and replacement of the
device is warranted, please follow the normal replacement process outlined by
your business unit.
Criminals and vandals have and will attempt to sabotage credit card readers for
their own personal gain. This includes but is not limited to replacing the credit card
magnetic reader, replacing the whole unit, or adding additional hardware. If it
looks like the credit card device was tampered with in any way please follow the
instructions on page 15.
Inspect all cables for
any add-ons.
Make sure there are
not any tap devices.
Inspection Manual for Payment Card-Reading Devices
8 | P a g e
Equinox Model L5300
Compare the card-reading device to the
photos below to determine if there has
been any change from its original
appearance:
Inspect key pad for
residual stickiness
from over lay or if an
over lay is applied
Inspect card swipe for
any modifications or
addition parts or signs
of abnormalities
Make sure Serial
Number is readable
Inspection Manual for Payment Card-Reading Devices
9 | P a g e
Inspect EMV card slot for any
modifications or addition hardware
Visually inspect for
tampering along ALL
seam lines to see if
someone has tried to
pry the unit open.
Inspection Manual for Payment Card-Reading Devices
10 | P a g e
LP/Ops Manager - Physical Inspection Log:
o Complete additional check points
If a CTT device shows signs of normal wear and tear and replacement of the
device is warranted, please follow the normal replacement process outlined by
your business unit.
Criminals and vandals have and will attempt to sabotage credit card readers for
their own personal gain. This includes but is not limited to replacing the credit card
magnetic reader, replacing the whole unit, or adding additional hardware. If it
looks like the credit card device was tampered with in any way please follow the
instructions on page 15.
Inspect all cables for
any add-ons.
Make sure there are
not any tap devices.
If the Privacy Guard is
removed or broken
replace it.
Inspection Manual for Payment Card-Reading Devices
11 | P a g e
Verifone Model FD55
Compare the card-reading device to the
photos below to determine if there has
been any change from its original
appearance:
Inspect card swipe for
any modifications or
addition parts or signs
of abnormalities
Visually inspect for
tampering along ALL
seam lines to see if
someone has tried to
pry the unit open.
Inspect key pad for residual
stickiness from over lay or if an
over lay is applied
Inspection Manual for Payment Card-Reading Devices
12 | P a g e
LP/Ops Manager - Physical Inspection Log:
o Complete additional check points
If a CTT device shows signs of normal wear and tear and replacement of the
device is warranted, please follow the normal replacement process outlined by
your business unit.
Criminals and vandals have and will attempt to sabotage credit card readers for
their own personal gain. This includes but is not limited to replacing the credit card
magnetic reader, replacing the whole unit, or adding additional hardware. If it
looks like the credit card device was tampered with in any way please follow the
instructions on page 15.
Make sure Serial
Number is readable
Inspect all cables for
any add-ons.
Make sure there are
not any tap devices.
Inspection Manual for Payment Card-Reading Devices
13 | P a g e
Verifone Model FD130 Duo* *Chip Enabled
Compare the card-reading device to the
photos below to determine if there has
been any change from its original
appearance:
Inspect key pad for residual
stickiness from over lay or
if an over lay is applied
Inspect all cables for
any add-ons.
Make sure there are
not any tap devices.
Inspect card swipe for
any modifications or
addition parts or signs
of abnormalities
Visually inspect for
tampering along ALL
seam lines to see if
someone has tried to
pry the unit open.
On the underside of the device
make sure Serial Number is
readable
Inspection Manual for Payment Card-Reading Devices
14 | P a g e
LP/Ops Manager - Physical Inspection Log:
o Complete additional check points
If a CTT device shows signs of normal wear and tear and replacement of the
device is warranted, please follow the normal replacement process outlined by
your business unit.
Criminals and vandals have and will attempt to sabotage credit card readers for
their own personal gain. This includes but is not limited to replacing the credit card
magnetic reader, replacing the whole unit, or adding additional hardware. If it
looks like the credit card device was tampered with in any way please follow the
instructions on page 15.
Inspect key pad for
residual stickiness from
over lay or if an over lay is
applied
Inspect card swipe for
any modifications or
addition parts or signs
of abnormalities
Inspect EMV card slot for any
modifications or addition hardware
Visually inspect for
tampering along ALL
seam lines to see if
someone has tried to
pry the unit open.
On the underside of the device
make sure Serial Number is
readable
Inspection Manual for Payment Card-Reading Devices
15 | P a g e
Procedure for Credit Card Readers and Possible
Tampering For Store Employees
1. Unplug the 'normal' plugs and replace the device with another credit card reader.
Talk to your store manager about procuring another credit card reader. Begin a
Chain of Custody Document; take notes of who handled the device from this point
on. Detail the person, time and date, and who is in custody of the device.
2. Create an incident ticket in Service Now using the details provided below
a. Link to Service Now: https://sears.service-now.com/navpage.do
b. Caller - Yourself
c. Affected User - Yourself
d. Location - Your store
e. Impacted Service - Retail - Point of Sale
f. Category - Hardware
g. Subcategory - Equipment Failure
h. Assignment Group - SHC_SEC_SECURITY_OPS
i. Short Description - Store Number - Credit Card Reader Tampering
j. Additional Comment - Please be as descriptive as possible of what was
observed with the credit card reader. Include why you think it was
tampered with, the physical appearance of the device, type of device, and
serial/unit number
k. Attach - Attach pictures of the device. This includes anything strapped to
the device or plugged in that isn't regularly plugged in. We need to
document all abnormalities to the device.
3. Get in contact with your store manager and find a box to ship the device in. Include
a list – Chain of Custody Document - of all people that have handled the device
since it was identified as compromised. A member of the Security Operations
team will contact you with next steps and how/where to ship the device.