POS device security inspections by merchants
Why must I run recurrent POS inspections?
This is not only a PCI-DSS requirement, but is a method of keeping you, your employees, customers, device(s) and business safe from fraud and criminals. In addition, as a business owner with a POS device, you need to keep up with the latest industry trends as well as legal requirements as this type of compliance is obligatory. Furthermore, such compliance will help you reduce tampering and data loss.
What is device auditing?
POS auditing is a part of PCI compliance, and it involves the regular inspection of your POS terminals. This inspection process is necessary to determine whether your device(s) has been tampered with.
What is the first step in undertaking the device audit?
You will first need to ensure you have a comprehensive enough list of all your devices and their locations. To do this, collect the following data:
- - The make of the device including the manufacturer and its model
- - A method to identify the device such as its serial number
- - Determine and note down the location of each device
- - Identify the specific locations within the physical operating environment.
What else does that auditing process consist of?
You will also be required to inspect your devices’ surfaces on a regular basis to detect tampering. Check for card skimmers and other hardware that may have been added by an unathorised individual. It’s also important to continuously check the device’s serial number or other characteristics in an effort to ensure that it has not been swapped with a fraudulent device. Your employees should also be trained to undertake these checks from time to time.
What do I need to do in the personnel interview process?
When you interview your personnel, you will need to verify that your list of devices is constantly updated, especially when you add new devices, relocate, decommission a device etc. Once that step has been followed, you will need to “select a sample of devices from the list and observe devices and device locations to verify that the list is accurate and up to date.”
What are the steps in the auditing process?
Firstly, you need to ensure that the software on your device is regularly updated to ensure there is no data loss. Secondly, check the stickers on the device. These stickers usually contain important information and if they have been damaged, this could be a sign of illicit tampering with your device. Thirdly, consider photographing your device from various angles to enable you to compare it to its original state in the future. Fourthly, check that no new cables have been connected to the device. Next, if you have video cameras installed at your business premises, check your footage regularly for individuals near your POS terminal and for any suspicious activity in the area. Finally, do an overall thorough visual check of the device to see that whether it has been tampered with.
What should I do if I believe there is suspicious activity around the myPOS device?
You will need to follow these steps to take the necessary precautions:
- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot payment terminals;
- Always be aware of suspicious behavior around payment terminals. For example, attempts by unknown persons to disconnect or open devices;
- Always report suspicious behavior to myPOS via your manager or distributor. When in doubt, contact myPOS directly.
What do I do if my terminal gets lost or is stolen?
When you discover that a myPOS payment terminal is lost or stolen, proceed as follows:
- Write an email with answers to the following questions:
- What is the model and serial number of the missing terminal? If necessary, you can determine the serial number through exclusion: You check the serial numbers of the terminals in your store against the terminals that your myPOS account lists.
- Where was the terminal lost or stolen?
- How did this happen?
- How did you discover the terminal was missing?
- Was the terminal in active use, or was it still in its packaging with intact security seals?
- If you suspect theft, did you file a police report?
- If yes, attach a copy/scan of the police report to the email;
- If no, file a police report and send it to us as soon as possible.
- What actions have you taken to prevent this from happening again?
- Send your email to myPOS Customer Support at email@example.com and firstname.lastname@example.org in CC.