Stay Alert During the Holidays
As the holiday season approaches and we start seeing a spike in sales volume, it’s important for your company to remain vigilant. An increase in sales always correlates with a surge in theft and fraudulent activity. UTA would like to remind our merchants to be mindful of the safety of their check writers’ and cardholders’ sensitive data.
Criminals trying to obtain cardholder account and PIN data at the point of sale (POS) frequently target PIN Entry Devices (PEDs) that are known to be vulnerable. All vulnerable PED users are encouraged to upgrade to systems that feature the most up-to-date security. Evidence indicates that these devices were removed from the point of sale and replaced with modified devices designed to capture magnetic-stripe card and PIN data, which was then wirelessly transmitted to criminals. Surveillance footage shows that the suspects were able to remove a PED and install a modified device in less than one minute.
Recommended Mitigation Strategies
Merchants must be vigilant and maintain a secure store environment at all times, especially around cash registers and PEDs. The following inventory-control and monitoring procedures will help protect against PED substitution, loss and modification.
– Mount or tether PEDs to counters to prevent removal. Payment Card Industry (PCI) PIN Security Requirements stipulate that precautions must be taken to minimize the threat of compromise once PEDs are deployed (Requirement 29).
– Implement a PED-authentication system. Merchant host systems can continuously verify that terminals are online and operating correctly.
– Use terminal asset tracking procedures. Secure stored terminals awaiting deployment under lock and key, and periodically validate PED inventories on hand against asset records.
– Regularly inspect PEDs visually to identify abnormalities. Look for altered seals or screws, extraneous wiring, holes or labels or other materials that could be added to mask damage from device tampering.
– Retire PEDs known to be vulnerable. To avoid potential compromises, merchants should plan to replace vulnerable PEDs now and consider implementing dual-interface chip capable devices whenever possible.