With the global spread of COVID-19, awareness about the potential risks associated with touching public-facing surfaces has intensified. Many merchants are working harder than ever to protect their customers by frequently cleaning common touch points in their stores. One of these common surfaces is the point-of-sale (POS) payment terminals where customers swipe or dip their payment card and potentially enter a PIN to confirm their purchase.
Keeping point-of-sale (POS) devices clean should not be a new topic for merchants. However, the current situation has raised additional questions about how to maintain the security and cleanliness of POS devices. This article explores some considerations to help merchants maintain the safety and security of their POS devices in all circumstances.
Many regions support the use of contactless cards that can be waved close to the terminal without making contact, limiting the amount of physical interaction between the consumer and the device. To further support this type of transaction, a number of countries have recently increased the maximum value that contactless and/or non-PIN type of transactions can be used for, which is helping to reduce the amount of person-to-device contact needed for everyday purchases. Merchants are encouraged to contact their processor or acquirer to investigate the use of these techniques.
Even with the increased use of contactless transactions, there are still many occasions when physical interaction and touching the device is required.
Keeping Payment Terminals Clean
Unfortunately, some merchants have been using the same approach for cleaning their POS devices as they use for cleaning shopping baskets; spraying disinfectant directly onto the keypad before wiping it down. Because neither liquids nor chemicals go well with electronics, these cleaning practices have resulted in the failure of many devices.
PCI SSC recommends the following to avoid damaging POS devices while keeping them clean.
- Follow the device vendor’s instructions. Device construction and materials vary widely from device to device, and the device vendor should have provided clear instructions for properly maintaining and cleaning the device. This guidance is often found within the user manual or on the vendor’s website.
- Use sprays and chemicals with care. Many keypads are not designed to be watertight, and spraying liquid directly onto the terminal can result in the liquid leaking into the inside of the device and damaging sensitive electronics. Additionally, some chemicals could cause damage to the keypad or device casing. Always refer to vendor guidance on appropriate cleaning products and methods for properly applying those products.
- Wipe gently. Keypads are designed to be sensitive to touch and vigorous wiping could damage the keys or sensors.
Merchants may also wish to provide hand sanitizer, wipes or other options for customers to use.
To protect the underlying POS device from cleaning sprays and chemicals, some merchants have taken to enveloping their POS devices in plastic wrap or attaching a layer of plastic on top of the device’s keypad. Unfortunately, while the merchant may have the best intentions, applying any type of cover, or overlay, to a PCI PTS approved device could introduce additional risk.
Overlays are a known method of attack that have been used to capture card account and PIN data from ATMs and POS devices. These types of attacks typically involve placing an overlay containing wires or an illegal card reader over the keypad. These overlays can result in an attacker capturing the PIN, skimming the card, hiding tamper evidence, or changing the operation of the terminal.
Placing covers over or around devices could also conceal the presence of card skimmers or other physical evidence that the device has been compromised. This risk exists even when the overlay is considered to be transparent, as it takes only a small degree of opaqueness to camouflage or conceal the presence of a wire or sensor intended to capture payment card data.
As the use of overlays poses a security risk to both the merchant and consumer, PCI SSC does not endorse the use of overlays that interact with the entering of a payment card or PIN data. The use of these products also impacts the PCI device approval. Merchants should consult with their acquirer or payment brand on their position regarding the use of overlays during the current crisis.
As always, PCI SSC recommends that merchants pay close attention to their devices for evidence of tampering and to ensure their product is working correctly. Guidance on what to look out for can be found in the PCI SSC Information Supplement Skimming Prevention: Best Practices for Merchants.