CK Physical Security Guide

Overview of PCI Requirements

PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data, with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while complying with the PCI set of standards enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.


PCI Data Security Standard (DSS)

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers the technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.


Description of 365 Retail Markets Payment Card Security

365 Retail Markets uses a secure, direct real-time connection to the card processor when items are checked out. The transactions are card present, with no cardholder data stored for later use. Transactions are needed to complete purchase of items from the self-service, stand-alone, kiosks and mini-retail shops where 365 Retail Markets provide their services. All data is encrypted by the card reader at time the card is swiped E2EE. 365 Retail Markets does not have access to the encryption keys and cannot decrypt this encrypted cardholder data. This dramatically reduces the scope as 365 Retail Markets does not store, process and/or transmit unencrypted PAN data. 365 Retail Markets does not have access to keys, reducing scope. E2EE processing is validated by a Third Party P2PE Certified QSA.

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems

1.   Install and maintain a firewall configuration to protect cardholder data.

2.   Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3.   Protect stored cardholder data.

4.   Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

5.   Protect all systems against malware and regularly update anti-virus software or programs.

6.   Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7.   Restrict access to cardholder data by business need to know.

8.   Identify and authenticate access to system components.

9.   Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel.


Kiosk Physical Security

The scope of PCI DSS that applies to operators is Physical Security of the Card Reader. This document will show you how to conduct a physical security inspection of your kiosks. Ensuring that your kiosk is physically secure is important to ensure the safety of consumers and their data. Operators are encouraged to do a physical inspection of the kiosk each time they restock the store.


Checking for Credit Card Skimmers

  • Inspect the card reader. Does it look natural? Does it appear that it has been altered?
  • Pull on the card slot. Be sure that no foreign device has been installed.

Company Kitchen card readers are displayed below. If the card reader is different than the ones shown below, call 365 Support at 888-365-6282 and we can help investigate the type of card reader installed.



Inspect the Back Side of the Card Reader

  • Are there any foreign objects attached to the back of the card reader?
  • Pull on the back of the reader carefully to be sure everything is secure


Card Skimmers

Most card skimmers are devices that are attached to the external components of a card reader. The best defense to such devices is a close review of the card reader as explained above. The picture below shows an example of a device that attaches to the outside of a card reader.


With the advancement of technology new card skimmers have been developed that are inserted inside card readers. These devices are slightly harder to detect, but with proper review of the card reader they can be spotted. When inspecting your kiosk for such devices thoroughly inspect the outside of the card reader and be sure to look inside the card slot. The picture below shows a recovered internal card skimmer.



Look for Key Loggers or Devices Plugged into the Card Reader

  • Inspect the end of the USB connecter from the card reader.
  • Are there any devices plugged in between the card reader and the computer?


    Card Reader – Plugged in    Card Reader – Unplugged


Key Loggers

The picture below shows a common key logger. It is very unlikely that you will ever see one of these, but it is good to know what to look for. These devices are installed between the card reader and the computer. If you see one of these devices take a photo and send to 365 Support at



Checking the Locks on the Kiosk

  • Is the kiosk currently locked?
  • Inspect all locks located on the kiosk. Do they look like they have been forced open? This would result in obvious damage to the locking mechanism.


Reviewing DVR Footage

When an incident is reported, it is vital to review video footage of the date and time the incident was reported or suspected to have occurred by operator or consumer. If no DVR is in place, the operator of the kiosk should contact the local company and request that this footage be reviewed, and the same process be followed.

This is a manual process that the operator is responsible for since 365 Retail Markets does not have access into these camera systems. Physical evidence of device tampering is crucial to completing our Incident Response process as it can display criminal activity, device tampering, system malfunctions, power outages or application errors.