MX 800 S
ERIES
I
NSTALLATION
G
UIDE
31
11
Purchase from authorized sources.
Obtain PINpads only from a manufacturer or manufacturer’s authorized
partner. Unauthorized resellers, such as those that may be found online at
sites such as eBay, may potentially sell devices that are already
compromised, whether intentionally or unwittingly.
12
Use authorized repair centers.
For similar reasons, have your PINpads repaired at the manufacturer or an
authorized manufacturer’s repair center which has completed a TG3 Key
Injection audit.
13
Securely dispose of retired terminal inventory.
To properly dispose of retired terminal inventory, only use firms that destroy
the encryption keys during the retirement and recycling process. Select
environmentally friendly destruction facilities that recycle all metal and plastic
components, and follow proper hazardous material destruction procedures
for PCB components. For PCI compliance verification, consider firms that
issue an inventory disposal report that lists all terminals being retired by their
serial number.
14
Develop a response plan in advance.
Develop methods and procedures on how to handle subsequent activities
should a breach occur. Determine who in you company will be the go-to
person or coordinator of all breach-related activity. How do you respond?
Who do you need to call first? Can you respond internally or should a third
party be involved? Who is the third party? How do you manage external
communications? What internal systems are involved in the breach? Do you
keep accurate records of all system change activities for all of your sites?
Physical Activities
1
Mount PINpads securely to counter.
Review the installation of your PINpads. They should be mounted on the
counter; unplugging cables should require more than turning the unit over;
and you may want to consider installing locking stands to prevent
unauthorized removal.
2
Perform weekly visual terminal inspections.
Immediately have a visual inspection performed on every device to look for
potential signs of tampering. These include anything that does not look
normal such as lack of tamper seals, damaged or altered tamper seals,
mismatched keys, missing screws, incorrect keyboard overlays, external
wires, holes in the terminal or anything else unusual. Look for hidden
cameras in the ceiling and inspect non-secured wiring. If anything out of the
ordinary is noticed, stop using the device, disconnect it from the POS
terminal or network, but do not power it down. Contact the security officer at