Detecting swapped PIN Pads at the Payment Switch

images

 

My colleague Andy Orrock writes an excellent post, "Methodology for watching PIN Pad Switches" which discusses a detective control that we put in place in OLS.Switch to detect when a PIN Pad has been changed at the point of sale, along with real time alerting of the event.

 

Digital Transaction has an article here, that discuses this type of attack, another summary is here and quoted below:

Investigators say the men would enter supermarkets late at night, distract the cashier and swap a PIN pad with an alternate machine that recorded each customer’s financial data. They could swap the equipment in as little as 12 seconds, prosecutors said.

After a while, the men would return, retrieve the machines and harvest the credit and debit card information. At least six supermarkets in Rhode Island and Massachusetts were targeted, and 238 people lost money.

Another consideration to make, is the physical security of payment terminals and pin pads, such as bolting them down or using locking stands and regular inspections.  See Verifones PIN Pad Security Best Practices for more.