PCI Best Practice Supplement for Merchants

August 2009 release of best practice doc, PCI_skimming_prevention_form.pdf, directed at skimming attacks. Illustrates how exposed terminals in POS are targeted by criminals. Wires, connections, ceilings, boxes, cameras and staff problems. It's a good document though worth noting that we find it ironic that the council would provide best practice guidelines for download as a Microsoft doc file. Historically and functionally that is one of the most dangerous files to download and have a user open. Guidelines also include self-assessment forms which are useful.

Chapter 1: Overview

The primary mission of the Payment Card Industry Security Standards Council (PCI SSC) is to ensure the security of payment data and the security of the payment infrastructure that processes that data. PCI SSC is committed to build trust in the payment process and payment infrastructure for the benefit of all constituents. As the threats and vulnerabilities of fraud evolve, payment constituents can and should expect the emergence of further security standards and requirements for terminal types, terminal infrastructure, payment devices, and payment process.

This document was created to assist and educate merchants regarding security best practices associated with skimming attacks. Though currently not mandated by PCI SSC, guidelines and best practices documents are produced to help educate and create awareness of challenges faced by the payment industry. The guidelines are the result of industry and law enforcement understanding of the current and evolving threat landscape associated with skimming. In addition we have incorporated known best practices, currently conducted by many merchants, to mitigate skimming attacks taking place in their respective point-of-sale environments. .

This document contains a non-exhaustive list of security guidelines that can help merchants to:

· Be aware of the risks relating to skimming.

· Be aware of the vulnerabilities inherent the use of point-of-sale terminals and terminal infrastructure.

· Be aware of the vulnerabilities associated with staff that has access to consumer payment devices.

· Prevent or deter criminal attacks against point-of-sale terminals and terminal infrastructure.

· Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.

Additional security can--and must--be provided by merchants to enhance the security provided y the current PCI SSC standards and payment terminal vendors. Merchants have an obligation to ensure their respective payment systems and infrastructure are secure. 

Merchants are the firstline of defense for POS fraud and are involved in the execution of the vast majority of controls suggested or required by PCI SSC. Merchants can achieve appropriate security and trust levelsat the point of sale by considering all the factors that can influence overall security in their terminal environment and taking the necessary countermeasures detailed in this document to ensure an appropriate level of security.

Recent Entries

Touchscreen Technology Website
News from 3M on multi-touch and also launch of new "education" site touchtopics.com which is to explain all various touchscreen…
PCI Best Practice Supplement for Merchants
August 2009 release of best practice doc, PCI_skimming_prevention_form.pdf, directed at skimming attacks. Illustrates how exposed terminals in POS are targeted by…
Cloud Computing - Does Amazon fail PCI Compliance?
There's an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment…
End-to-End Tokenized Encryption
EPX now extends data protection to what I call the 'first inch" of a transaction, i.e., from the plastic to…
Guidelines - PCI DSS Wireless Guideline Supplement
Dcument purpose  - This document provides guidance and installation suggestions for testing and/or deploying 802.11 Wireless Local Area Networks (WLAN)…
Healthcare - Building Kiosks From Scratch
In an era of consumerism, physician group practices are looking for ways to improve customer service and gain loyalty. So…
Trends - Number of retail medical clinics shrinking
Projections that showed there would be 2,500 retail clinics operating by 2010 are coming up short as the industry has…
Wireless transactions and PCI DSS 1.2 Compliance
Article covering wireless transaction and protocols in context of PCI compliance. Amazing that 11% use WPA2. Gist of article is…
EMV Level 2 - Just what does it mean?
The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant…
CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…



  |