HelpCenter

Explore
Kiosk Physical Security Audit 3-2025
Updated

Market Physical Security

The scope of PCI DSS that applies to operators is the Physical Security of the (POS) point-of-sale unit and card reader. This document will show you how to conduct a physical security inspection of your market POS devices. Ensuring that your market is physically secure is important to ensure the safety of consumers and their data. Operators are encouraged to do a physical inspection of the kiosk each time they restock the store.

 

Credit Card Skimmers and Shimmers

POS devices and card readers are displayed below. If the card reader is different than the ones pictured below and you need assistance with an inspection please call our Support Team and we can assist anytime.

  • Shown left to right: OTI, Castles, Ingenico, Verifone, PicoMarket, Nayax 

Card skimmers are illegal devices that are attached to the external components of a card reader. The best defense against such devices is a close inspection of the card reader and referencing known good units, pictures above, or hardware documents of your type of device. Below is an example of a device that attaches to the outside of a card reader.

Image2.PNG

With the advancement of technology, new smaller card skimmers (also known as shimmers) have been developed that are inserted inside card readers. These devices are slightly harder to detect, but with proper review of the card reader they can be spotted. When inspecting your POS unit for such devices thoroughly inspect the outside of the card reader and look inside the card slot as well. Below is an image of a recovered internal card skimmer or shimmer.

Image3.PNG

Checklist: Skimmers and Shimmers

  1. Inspect the card reader. Does it look natural? Does it appear that it has been altered?
  2. Look for anything loose, crooked, damaged, or scratched.
  3. Look inside the card slot for any damage or objects.
  4. Pull on the card slot to see if it is loose or broken. Be sure that no foreign device has been installed.

Key Loggers

The picture below shows a common key logger. It is very unlikely that you will ever see one of these, but it is good to know what to look for. These devices are installed between a usb component, like a card reader, and the computer. All new kiosks today have card readers that encrypt all card data on swipe. Any data obtained via the usb connection would be encrypted and unusable by a bad actor.
Key Logger.PNG

Checklist: Key Loggers

  1. Inspect the end of the USB connector from the card reader.
  2. Are there any devices plugged in between the card reader and the main computer for the unit?
  3. Are there any other unrecognized devices present inside the unit?

 

Physical Locks

Some POS devices have locks installed to prevent access to the internal components. These locks usually take keys to open. The screws that hold the case on the unit could also be considered physical locks for the POS device as they usually cover extra component slots or internal mechanisms. Shown below are Avanti and 365 V5 Kiosk locks in an unlocked position.
Kiosk Locks.PNG

Checklist: Physical Locks

  1. Was the POS device locked upon arrival for inspection?
  2. Inspect all locks located on the unit. Do they look like they have been forced open or damaged?
  3. Do not forget about any separate expansion or cash accepting units.
  4. Inspect any screws that hold the unit’s case together. Are any screws missing or loose?
  • PICO Tamper Event - The PICO platform devices have a protection mechanism for physical tamper attack. Any penetration attempts on the device will trigger the security alarm. The device will switch to an inactive mode and lock itself immediately. In inactive mode the device will forbid any operations and show a warning message on the screen. When the device is locked in a tampered status, it will have to pass security checks and maintenance before it can be returned to normal functions.

Network Components

Many POS units come with networking equipment to connect to the Internet for operation. These networking devices should never be in an exposed area. Unsecured routers, firewalls or switches can be used to access or compromise the network of the POS unit and market equipment. Many full-size kiosks have networking components inside the main case of the unit or have a protective cover that goes over the extra ports.
Procective Shell.PNG

Checklist: Network Components

  1. Locate the ethernet wire that connects the POS unit to the next networking component. This next component could be a switch, router, cellular internet device (i.e. Opt Connect), or a wall jack provided by the ISP or location where the unit is operating. Some units may be using a wireless connection and have no external cables.
  2. Is the connected network component in a secure location? Are any extra ports exposed?
  3. Do you recognize all devices plugged into the networking component used by the POS unit?

Reviewing DVR Footage

When an incident is reported, it is vital to review video footage of the date and time the incident was reported or suspected to have occurred by operator or customer. If a DVR is not in place, the operator of the kiosk should contact the local company and request that this footage be reviewed, and the same process followed.

This is a manual process that the operator is responsible for since 365 Retail Markets does not have access into these camera systems. Physical evidence of device tampering is crucial to completing our Incident Response process as it can display criminal activity, device tampering, system malfunctions, power outages or application errors.

 

Additional Assistance and Resources

support@365smartshop.com

security@365smartshop.com

Skimming | Federal Bureau of Investigation