Be aware that the chip and PIN devices on your premises are valuable assets that, if not protected throughout
their complete life cycle, could be compromised by criminals and used to perpetrate fraud that will
ultimately have a financial impact on the retailer and
may also cause reputational damage that may further adversely affect business.
The need to secure PEDs begins from the moment they are released from the vendor to the retailer and the tracking of that asset, once delivered, becomes the responsibility of the owner (acquirer, third party provider or retailer) wherever it is stored, whenever it is in transit and wherever it is installed.
In the case of face-to-face card transactions (i.e. those in shops and stores where the cardholder is present during the transaction) the principal assets under threat are the personal payment card details and PINs used to verify the cardholder’s identity. Personal payment card details – referred to as sensitive cardholder information in the Payment Card Industry Data Security Standard (PCIDSS) – include the primary account number, start and expiry dates, service code and the CSC (card security code). Currently these values can be obtained from the magnetic stripe on a live credit or debit card and from the static data embedded in the integrated circuit of a chip card. This information is at risk when it is captured from the card in a reader or in the data messages passed to and from the point-of-sale. It is possible for fraudsters to use the data that can be captured in a live transaction to create a plausible magnetic stripe clone of the live card.
With the advent of chip and PIN, personal payment card data alone is of limited value for face-to-face transactions in the UK unless the associated PIN can also be obtained by the fraudster. However, the information, including the PIN is still valuable to fraudsters, particularly for use overseas. The industry has seen an increasing level of sophistication applied to the capture of these assets, either directly from the keypad of a PED or through recording the transaction using hidden micro-cameras. Fraudsters have successfully deployed examples of both attack methods in the past.
Criminals then use the captured card details along with the PIN to manufacture cloned magnetic stripe cards that are then used to withdraw cash from cash machines or at retailers in countries that have not yet upgraded to chip and PIN.
By downloading the Security Guidance for Card Acceptance Devices, a guide aimed at retailers that accept card transactions in their shops or stores, you will be able to minimise the risk to your business.
