PIN Pad Monitoring
PIN pad tampering, also known as “skimming,” is one of the most common criminal practices used to gain access to personal credit card data. In order to gain this access criminals usually replace the retailer’s PIN pad with a similar, modified device. Once the criminal makes the exchange of PIN pads at the register, the modified device can either transmit the information wirelessly in real time to another computer, store the customer data temporarily to be retrieved later, or use the retailer’s own network to transmit the data to a remote computer.
New PIN pad monitoring functionality has been added to EDJ’s StoreGazer application to address applicable standards and best practices introduced in the PCI document “Skimming Prevention: Best Practices for Merchants.” StoreGazer goes beyond what is recommended by providing real-time, electronic monitoring as well as historically tracking serial numbers, software versions, and parameters used to run the PIN pads. Through the new smart grid interface, users can track the history of all PIN pads, viewing reports on which PIN pads have been connected and to which terminals. More importantly, to combat PIN pad tampering, administrators can setup email notifications to be sent immediately anytime a new PIN pad has been added to a terminal. As a result, if a compromised PIN pad device is added to a terminal, security personnel will be notified immediately.
PIN Pad Monitoring for StoreGazer 4.0
Toshiba’s ACE V7R5 application is required to access this functionality which is being made available for StoreGazer 4.0 users.
Requirement 9.9 of the PCI DSS v3.1 specifically addresses PIN pad monitoring and what information must me maintained in order to stay in compliance.
Requirement 9: Restrict physical access to cardholder data
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
9.9.1 Maintain an up-to-date list of devices. The list should include the following:
- Make, model of device
- Location of device (for example, the address of the site or facility where the device is located)
- Device serial number or other method of unique identification