POS PIN Entry Device Vulnerabilities
Compromised point-of-sale (POS) PIN-entry devices (PEDs) equipped with tapping mechanisms designed to capture PIN and card data have recently been found in the U.S. marketplace. Visa has received an increasing number of reports regarding POS PED theft from merchant store locations. Evidence indicates the POS PEDs are being physically removed from their locations and replaced with modified devices designed to skim account and PIN data. Surveillance has shown that suspects in most of these cases were able to remove and install a POS PED in under one minute. This type of fraud typically occurs in merchant locations with “after-hours” operations where there is minimal customer traffic or employee supervision over cash registers.
Visa strongly recommends that merchants use heightened vigilance and maintain a secure store environment at all times, especially around cash registers and POS PEDs. Visa recommends merchants physically secure PEDs at all locations so PEDS cannot be easily modified or replaced.
Merchants should train their employees on the potential for PIN compromise and what action to take if a POS PED is stolen or missing, or there are noticeable signs of device-tampering. If POS PED tampering is suspected, merchants should immediately contact their merchant bank, Visa, and law enforcement.