Sunday, September 5, 2010

Best Practices for Protecting ATMs and POS Terminals

10 Tips to Thwart Skimming

The keys to thwarting card skimming can be summed up in four ways - layered security, monitoring, system audits and education. Here are 10 best practices to follow in securing ATMs and point-of-sale devices at financial institutions and retail locations.

1. Deter Self-Service Terminal Skimming

Pay-at-the pump skimming incidents are on the rise, prompting some convenience stores and gas stations to change the locks on the enclosures that house self-service pumps. The Pantry, a convenience store chain in the south, has opted to use an anti-tampering security tape. The Pantry spokesman Scott Yates says the tape seals the area on a fuel pump where criminals install skimming devices to steal card information. If the tape is tampered with, the word "Void" appears on the tape. The tape is monitored by employees periodically each day. The Pantry operates more than 1,600 convenience stores in 11 states.

2. Respond Quickly to ATM Skimming

ATM skimming has taken off anew, and security experts say any institution has to be ready for the crime. First, banking institutions should have an incident response plan in place to react quickly to ATM skimming attacks when they are detected. Plans should include everything from whom should be contacted to immediate actions that need to be taken by the institution. If a device is found, all employees should know what to do. Educate branch employees and third-party vendors, as well as ATM service providers. Make sure they are monitoring the outside of the ATMs for residue or devices.

3. Use Layered Security Approach

Businesses should install a series of security layers, ranging from not storing card data to tokenizing the data using an outsourced service provider. If data needs to be stored, all data should be encrypted, while in transit and at rest. Strong network segmentation and comprehensive configuration change controls also should be implemented. A whitelist approach to data access control, as well as a whitelist approach to data transfer routines and destinations, are among other measures Litan recommends.

4. Increase Physical Security

To insert a skimming device, it is often necessary to remove a point-of-sale terminal from its location, or swap the existing terminal for another compromised terminal. Consider installing cable locks on POS terminals. Some have slots, so a cable lock can be attached to the terminal. This can then be threaded through the cable connecting the terminal to the cash register and then secured to prevent both the terminal and the cable from being compromised.

5. Ensure PCI Compliance

Make sure all POS terminals comply with the Payment Card Industry Council's Derived Unique Key Per Transaction (DUKPT) standard. Securely install terminals with unique hardware as a deterrent, and visibly inspect them, along with the registers, every day. Ensure all POS terminals are PCI compliant. Also, when any work is done on the devices, make sure it is done by an authorized service provider.

6. Audit PIN Entry Devices

PEDs need to be checked on a regular basis, recording them and cross-checking the serial numbers. Retailers are recommended to follow PED Security Guidelines and review the condition and placement of internal closed circuit TV systems to cover all areas.

7. Use CCTV to Monitor

Use applicable lighting to support payment environments and CCTV monitoring capabilities as required. Ensure ATMs and self-service pumps are well illuminated and meet minimum physical requirements, as defined by the appropriate regulatory mandates. Cameras should be situated such that they record the area around the point of sale PED device, without actually being capable of recording any PIN number entered. Save the CCTV images for 90 days.

8. Inspect All Locations

Frequently check the ATM fascia as well as the ATM's surroundings -- or those of external POS terminals -- ensuring nothing has been added or moved. Monitor the locations where ATMs and terminals are, especially if skimming attacks have been reported in the area. Have branch staff check these devices during off-hours as well as over weekends and holidays - all prime times for criminals to install skimmers.

9. Set Common Standards

Include visual standards for all ATMs and POS terminals, and maintain the standards at all branches or locations. Take a photograph of each machine, inside and outside. Show employees what the devices should look like, so when an ATM or POS terminal is quickly examined, employees readily recognize anything suspicious.

10. Educate Employees

Security-awareness training for all store and branch employees is a recommended place to start. Have a set of procedures for them to follow. Retailers should train staff to periodically check POS equipment, for instance, ensuring POS-device IDs still match, and no equipment has been swapped or changed.

No comments: