Trust Your Fellow Man, But Not A Tired Store Associate

Written by Walter Conway
July 1st, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Fast on the heels of U.K. compromised POS devices comes word from Visa of a list of PIN encryption devices (PEDs) that are known to have been compromised, including some that had previously been certified as PCI compliant.

These PEDs were altered by the bad guys and used in skimming attacks to capture magnetic stripe and PIN data. What is possibly disturbing about the Visa bulletin is that several of the devices were tested and approved for new installation. That means the retail CIO’s responsibility does not stop with making sure they purchase compliant devices. Acquirers and retailers also need to ensure that devices are not compromised after they are installed.

The list of compromised devices supports Visa’s July 1 sunset date for older and untested PEDs: For example, four of the seven compromised brands (actually more, if you include all the different model numbers) need to be replaced by this deadline. The remaining three models on the list were tested and passed, yet they somehow were compromised in spite of the certification.

In many cases, the retailer’s PEDs were stolen and replaced with compromised ones. Device switching can happen very quickly (often in under one minute), and it usually takes place after business hours.

Visa lists several best practices for retailers to monitor their POS PEDs. Although some of them seem obscure (e.g., weighing devices to see if they vary from the manufacturer’s specifications, meaning somebody may have added a bugging device), others make good business sense and are worth highlighting.

You can avoid many problems if you continuously monitor and authenticate your POS devices. Your system will alert you or the store manager if any device is replaced with an unauthorized device or even unplugged, however briefly. Such an alert should trigger an immediate inspection and replacement of the suspect device.

I am not so sure I would depend solely on store managers and POS staff to monitor POS devices for signs of tampering. They can be the first to notice something different about a PIN pad, like a new location or altered appearance. If they do, they should be trained to report it immediately. It seems to me, however, these are also very busy people. Therefore, I prefer to rely on automated authentication and monitoring to detect rogue or suspect devices.

When I start a PCI assessment, I usually ask for an inventory of POS equipment. Sometimes the client cannot comply, because they have no idea how many POS terminals or PEDs they have or where they are located. This embarrassing situation is complicated when the client also keeps a supply of replacement devices or “floaters.”

You need to know immediately if any device disappears, and you particularly want to know if any disappear and mysteriously reappear later. It can indicate tampering or unauthorized use of the device, even at another merchant. When I was in the payments business, I saw this situation, and it led to what we called “laundernet.”

Any social engineering penetration testers worth their salt have a supply of uniforms that are sure to get them access to all sorts of sensitive equipment, from POS devices to back-office servers. Store managers need to check IDs (although this may not help much) and confirm unexpected service calls with the company. Above all, they should escort technicians continuously and observe their actions from the time they arrive until they leave.

I personally had an experience like this when a power company repairman rang our doorbell. He wanted to know if we wanted a new, intelligent gas meter. I wasn’t expecting anyone and certainly didn’t call, so I asked for his ID and checked out the markings on his truck. I never left his side as he swapped out the meter. At the end, he thanked me and told me he wished everybody acted as I did–it would keep him from being falsely accused of breaking or stealing things.

Growing up near Chicago, I remember hearing public service announcements on television saying, “It is 10 o’clock. Do you know where your children are?” Maybe we need to change that message to say, “Do you know where your POS devices are?”

What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at


One Comment | Read Trust Your Fellow Man, But Not A Tired Store Associate

  1. Dirk Says:

    This is good article. It shows the problems of POS security in everyday life. I believe that there is no way to get ultimate security in the use of POS-Terminals as long as things that were described in the article can happen. Tighter restrictions and more technology in the use of the POS can help to a certain amount, but businesses always will ask for flexibility and mobility of their POS devices. Just think of the all the mobile POS devices connected via WIFI older mobile networks with their servers. Those devices make it easy and comfortable for people sitting outdoors in a restaurant to pay the bill. It even will make them feel more secure than giving the waiter the card, not knowing what he is doing with it backdoors. But all the actions that were suggested to make things more secure would not work on those devices. They get disconnected (loss of communication), get dirty (different weight), etc.

    We need to make security the responsibility of the customer and his own devices. There are good examples like sending a TAN to his mobile device and he would have to key that in to approve the payment. Security can’t rely simply on the POS-Terminal. We need a second piece of hardware and a second channel of communication in the customers’ sphere to make transactions more secure. The principles of possession (Hardware) and knowledge (PIN, TAN) in the hands of the customer will do a lot more in terms of transaction security than just looking at the merchants and their terminals.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.