Just caught an article from last month, where a group of men installed card skimmers on cash registers in a Florida Nordstroms. The registers used the PS/2 port on the PCs for keyboard entry, and so any text sent to the register would be caught by the skimmer. Unfortunately, the keyboards used generally have the credit card reader built into the keyboard, so that means credit card data was being sent as plain text through that same port. That’s a really big risk for cardholders and Nordstrom.

I’m not sure how they were able to hot install a PS/2 device without having to reboot the PC. In my experience, unplugging a PS/2 mouse or keyboard usually meant you had to reboot the PC to re-establish the connection. But they were able to get the skimmer installed somehow, so that’s a threat right there. Also amazed that PS/2 is still being used in industry. When I started, support handled a 50/50 split between PS/2 and USB-based keyboards and input devices. Today, it’s closer to 95% in favor of USB. It’s just easier to use and troubleshoot.

Anyway, as I’ve mentioned in previous posts, if third parties have access to your POS system, they have access to everything on it, including credit card data. It doesn’t matter if your processing software encrypts it before it shoots it off to the internet, the data is still available at some point on the computer. That’s why companies like MagTek have created great products like the Dynamag, which can encrypt the data in the MSR itself before sending it to the PC. So even if it does get compromised, all the thieves get is a garbled mess.

With PCI compliance becoming more prevalent, and merchants facing fines for data loss, doing what you can as a business owner to mitigate the damage now is a great way to avoid paying a steep fine later. We have the Dynamag available for a little over 50 dollars, and your merchant account provider can encode it usually for a nominal fee, or even for free. Seems a lot cheaper than a $20,000 fine for a data breach.

%d bloggers like this: