In the midst of a global pandemic, mitigating the spread of infection is of utmost importance. With more than 5 lakh registered cases, and the lockdown being lifted in most parts of the country, people are likely to resume several day-to-day activities, one of which also includes transacting at different point-of-sale terminals.

COMMERCIAL BREAK
SCROLL TO CONTINUE READING

Rightly, merchants globally have been responding by ensuring that their point-of-sale (POS) terminals remain sanitary. However, some of the methods that are being employed can present issues for payment data security. Some criminals are exploiting the honest efforts of business owners hoping to stem the spread of COVID-19, using techniques put in place to keep terminals clean as an opportunity to steal valuable payment data.

Whilst business owners are doing a great job putting physical measures in place to stop the spread of COVID-19, in some instances doing so can leave them open to data theft as criminals find new avenues to steal cardholder data.

However, by following appropriate safety procedures merchants can help protect their customers’ payment data whilst fighting the spread of COVID-19.

AVOID COVERING THE TERMINAL
Firstly, merchants should avoid the use of covers and wraps. Applying any type of cover or wrapping to a device can introduce additional risk to a merchant and their customers.

By placing a cover on POS terminals, criminals can more easily conceal the presence of card skimmers or other physical evidence that the device has been tampered with. This is even the case when wrappings are transparent, as only the slightness opaqueness can camouflage the presence of wires or sensors that can compromise cardholder data.

Overlays are a known method of attack that have been used to steal cardholder data from POS devices. The PCI Security Standards Council (PCI SSC) has set standards to ensure the security of payment channels including standards on PIN Transaction Security (PTS) for POS terminals.

However, even if a device was PCI PTS approved, when it is subsequently covered or wrapped it becomes vulnerable to criminal attacks. For example, it makes it easier for attackers to discretely use an overlay to capture PIN inputs, skim card data, hide physical evidence of tampering, or change how a terminal operates.

As the use of overlays poses a security risk to both merchants and consumers, any overlay that interacts with the entering of a payment card or PIN data should be avoided. Merchants should consult with their acquirer or payment brand on their position regarding the use of overlays during the current pandemic.

ENCOURAGE CONTACTLESS PAYMENTS

Another avenue to minimise the spread of COVID-19 is the use of contactless payments methods. In light of the pandemic, many countries have increased the transaction limit for contactless payments to help minimise the need to use common touch surfaces such as POS payment terminals.

In fact, as per current regulations customers do not need to enter their PIN for transactions if the purchase value is less than Rs. 2000. At the moment, the Reserve Bank of India has received recommendations and proposals to relax the limit from the current Rs. 2000, to Rs. 5000 to enable better adoption of digital transactions in the post Covid-19 lockdown period.

Regardless of how a business takes a transaction, they need to ensure that they are using the most appropriate security standards to minimise their risk of payment data theft.

In the case of contactless payments, the PCI Contactless Payments on COTS (CPoC™) standard has been developed to improve security when making or taking contactless payments on a merchant consumer off-the-shelf (COTS) device, such as a smartphone or a tablet.

These contactless payment methods have been lab-tested and specifically developed to support secure payment acceptance in new and emerging payment channels. The PCI CPoC standard helps protect the confidentiality and integrity of payment data through integrity checks and proactive monitoring.

By ensuring that they are using the most recent security standards for contactless payments, businesses can minimise their risk of data theft whilst helping fight the spread of COVID-19.

Merchants should contact their processor or acquirer to investigate whether the use of these techniques would be suitable for their business and could help them combat COVID-19 by allowing consumers to avoid using common touch points.

FOLLOW VENDOR ADVICE
It is important to note that merchants should follow the advice of their device vendor when cleaning and maintaining their POS terminals. Different devices require different cleaning techniques, for example the use of chemicals and liquids can cause a POS device to fail if used inappropriately. Device vendors will be able to provide advice on the best cleaning technique for individual POS terminals.
Additionally, merchants can go one step further in fighting the spread of COVID-19 by providing their customers with hand sanitizer or wipes to encourage cleanliness following the transaction.

See Zee Business Live TV Streaming Below:

Ultimately, to best protect customers against COVID-19 and while minimising the risk of payment data theft businesses should ensure that they are using the most appropriate security standards for their transactions. This includes avoiding the use of overlays and adhering to the cleaning instructions provided by their device’s vendor.

By Nitin Bhatnagar, Associate Director – India, PCI Security Standards Council