inspection manual for payment card-reading devices reader...inspection manual for payment...

Inspection Manual for Payment Card-Reading Devices

1 | P a g e

As outlined in the Payment Card Industry (PCI) Data Security Standard, v3.1 document,

criminals can illegally obtain cardholder data by stealing and/or tampering with the card-

reading devices themselves.

“Criminals attempt to steal cardholder data by stealing and/or manipulating card-

reading devices and terminals. For example, they will try to steal devices so they

can learn how to break into them, and they often try to replace legitimate devices

with fraudulent devices that send them payment card information every time a

card is entered. Criminals will also try to add “skimming” components to the

outside of devices, which are designed to capture payment card details before

they even enter the device – for example, by attaching an additional card reader

on top of the legitimate card reader so that the payment card details are captured

twice: once by the criminal’s component and then by the device’s legitimate

component. In this way, transactions may still be completed without interruption

while the criminal is “skimming” the payment card information during the

process.” – Section 9.9 of the PCI DSS v3.1

Protection of our cardholder data at the store level involves routinely inspecting the

devices that capture payment card data via direct physical interaction with the card. These

physical inspections will aid in the early detection of tampering or replacement of a

device, and thereby minimize the potential impact of using fraudulent devices.

The two types of physical inspections:

Mandatory physical inspections performed by the LP/OPs Manager. These will take place

quarterly and will be documented using a physical inspection log. These inspection logs

will be used as evidence in our effort to remain PCI compliant. (9.9.2)

Best practices physical inspections performed by Cashier. These will take place at the

beginning of a shift, after leaving cash station unattended for an extended length of time

or after witnessing unusual or suspicious behavior around cash station and CTT device.

Identify which of the following card-reading devices are utilized in your location:

o ingenico – model iSC250 page 2

o ingenico – model i6780 page 5 - (to be phased out during 2016)

o Equinox – model L5300 page 8

o Verifone – model FD-55 page 11 – (used by Home Services)

o Verifone – model FD130 page 13 – (used by Home Services)


2 | P a g e

ingenico Model iSC250

Compare the card-reading device to the

photos below to determine if there has

been any change from its original

appearance:

Inspect key pad for

residual stickiness

from over lay or if an

over lay is applied

Inspect card swipe for

any modifications or

addition parts or signs

of abnormalities

Make sure Serial

Number is readable

Inspect all cables for

any add-ons.

Make sure there are

not any tap devices.


3 | P a g e

Inspect EMV card slot for any

modifications or addition hardware


any add-ons.

Make sure there are


Visually inspect for

tampering along ALL

seam lines to see if

someone has tried to

pry the unit open.


4 | P a g e

LP/Ops Manager - Physical Inspection Log:

o Complete additional check points

If a CTT device shows signs of normal wear and tear and replacement of the

device is warranted, please follow the normal replacement process outlined by

your business unit.

Criminals and vandals have and will attempt to sabotage credit card readers for

their own personal gain. This includes but is not limited to replacing the credit card

magnetic reader, replacing the whole unit, or adding additional hardware. If it

looks like the credit card device was tampered with in any way please follow the

instructions on page 15.


5 | P a g e

ingenico Model i6780* *To be phased out during 2016




appearance:

Inspect key pad for

residual stickiness


over lay is applied




of abnormalities

Make sure Serial

Number is readable


6 | P a g e

If the Privacy Guard is removed

or broken replace it.



Visually inspect

for tampering

along ALL seam

lines to see if

someone has tried

to pry the unit

open.


7 | P a g e





your business unit.







any add-ons.

Make sure there are



8 | P a g e

Equinox Model L5300




appearance:

Inspect key pad for

residual stickiness


over lay is applied




of abnormalities

Make sure Serial

Number is readable


9 | P a g e




tampering along ALL



pry the unit open.


10 | P a g e





your business unit.







any add-ons.

Make sure there are


If the Privacy Guard is

removed or broken

replace it.


11 | P a g e

Verifone Model FD55




appearance:




of abnormalities


tampering along ALL



pry the unit open.

Inspect key pad for residual

stickiness from over lay or if an

over lay is applied


12 | P a g e





your business unit.






Make sure Serial

Number is readable


any add-ons.

Make sure there are



13 | P a g e

Verifone Model FD130 Duo* *Chip Enabled




appearance:

Inspect key pad for residual

stickiness from over lay or

if an over lay is applied


any add-ons.

Make sure there are





of abnormalities


tampering along ALL



pry the unit open.

On the underside of the device

make sure Serial Number is

readable


14 | P a g e





your business unit.






Inspect key pad for

residual stickiness from

over lay or if an over lay is

applied




of abnormalities




tampering along ALL



pry the unit open.

On the underside of the device

make sure Serial Number is

readable


15 | P a g e

Procedure for Credit Card Readers and Possible

Tampering For Store Employees

1. Unplug the 'normal' plugs and replace the device with another credit card reader.

Talk to your store manager about procuring another credit card reader. Begin a

Chain of Custody Document; take notes of who handled the device from this point

on. Detail the person, time and date, and who is in custody of the device.

2. Create an incident ticket in Service Now using the details provided below

a. Link to Service Now: https://sears.service-now.com/navpage.do

b. Caller - Yourself

c. Affected User - Yourself

d. Location - Your store

e. Impacted Service - Retail - Point of Sale

f. Category - Hardware

g. Subcategory - Equipment Failure

h. Assignment Group - SHC_SEC_SECURITY_OPS

i. Short Description - Store Number - Credit Card Reader Tampering

j. Additional Comment - Please be as descriptive as possible of what was

observed with the credit card reader. Include why you think it was

tampered with, the physical appearance of the device, type of device, and

serial/unit number

k. Attach - Attach pictures of the device. This includes anything strapped to

the device or plugged in that isn't regularly plugged in. We need to

document all abnormalities to the device.

3. Get in contact with your store manager and find a box to ship the device in. Include

a list – Chain of Custody Document - of all people that have handled the device

since it was identified as compromised. A member of the Security Operations

team will contact you with next steps and how/where to ship the device.

https://wiki.intra.sears.com/confluence/display/IPRMINT/Credit+Card+Readers+and+Possible+Tampering+For+Store+Employees

https://wiki.intra.sears.com/confluence/display/IPRMINT/Credit+Card+Readers+and+Possible+Tampering+For+Store+Employees

https://sears.service-now.com/navpage.do


16 | P a g e

REVISION HISTORY

DATE MODIFICATION DESCRIPTION COMMENTS CHANGE APPROVAL

April 2016 Initial Version Ken Carr-Kedziorski

inspection manual for payment card-reading devices reader...inspection manual for payment...

Documents