PCI: Pinpad Tampering

Tampering, generally involves insertion of a ‘bug' into a PIN Pad to capture credit or debit card account numbers, magnetic stripe data, and consumer PINs. This is similar to other stories you may have heard about criminals inserting ‘bugs' into ATMs or Gas Pumps. A commonly used tactic has been for a criminal to purchase a similar model of PIN Pad device used by a targeted merchant on the resale market, and insert a ‘bug' into that device. This tampered device is then somehow installed in place of the merchant's existing PIN Pad device where it can begin to fraudulently gather consumer information. There are several mechanisms for the criminal to collect this information, such as: simply retrieving the tampered device with its memory contents at a later date; transmitting the information in real time over a wireless connection to another computer; or transmitting through the merchants own computer network to a remote computer. Law enforcement agencies have not released any of the tampering details in these recent cases, so we do not know which method was used to get the tampered units installed or to retrieve the compromised data.

The industry is keenly aware of this potential liability and both VISA PED and PCI PED Security standards specify a series of requirements PIN Pad manufacturers must meet in order dramatically reduce the risk of tampering.