Below is security camera footage of a perpetrator installing a credit card skimmer on a payment terminal:
Some basic best practices include
1. Train Employees to be Aware
Teach employees how to spot indications of tampering. Covert installations of card skimmers such as additional hardware near the legitimate card reader or miniature cameras to record pin numbers are things to look out for.
2. Take Inventory
Take inventory of all devices that collect data at all locations. Make sure to include devices not only at point of sale areas but self-service areas as well.
3. Share the Responsibility
Rotate the responsibility for the inspection to different employees as often as practical. This will limit the possibility of an insider installing such hardware and avoiding detection. Make sure the employee conducting the inspection acknowledges the condition of each device at the time of inspection.
4. Log Results
Require employees to log their entries upon completion of each inspection. Things such as the date and time of inspection, completed & signed inspection checklist, notes on inspection results if tampering or suspicious devices are detected are all important to track.
5. Plan Ahead
Have a process identified in case a device appears to have been tampered with. These devices should be removed and safely stored for investigative purposes and referral to CAKE and law enforcement.
6. Engage Management
Include management as part of your process to ensure that in case of a breach, employees know who should be notified so that they can notify proper law enforcement so an investigation can begin.
7. Restrict Wi-Fi access to an as needed basis
Using personal devices on a POS network is a violation of PCI compliance.
Differences in CAKE Hardware to be Aware of
- Does the credit card swiper (MSR) look different than it did the other day?
- Is it wider or taller?
- Does it have an extra contact on the rail within? There should only be one contact.
- If the MSR is disassembled, are there any names on the components beside Magtek & IDTech?
- Are there any devices plugged into the POS which shouldn't be? (USB thumbdrive?)
CAKE 3rd Party IT Services
- CAKE will never send IT personnel to a Restaurants location without an explicit request.
- CAKE does not send out technicians for inspections of hardware. If someone is claiming to be doing so, call CAKE Support immediately or reject the investigation.
- When using 3rd party services (CAKE dispatched or not), always have an escort to accompany the technician(s).