Just caught an article from last month, where a group of men installed card skimmers on cash registers in a Florida Nordstroms. The registers used the PS/2 port on the PCs for keyboard entry, and so any text sent to the register would be caught by the skimmer. Unfortunately, the keyboards used generally have the credit card reader built into the keyboard, so that means credit card data was being sent as plain text through that same port. That’s a really big risk for cardholders and Nordstrom.

I’m not sure how they were able to hot install a PS/2 device without having to reboot the PC. In my experience, unplugging a PS/2 mouse or keyboard usually meant you had to reboot the PC to re-establish the connection. But they were able to get the skimmer installed somehow, so that’s a threat right there. Also amazed that PS/2 is still being used in industry. When I started, support handled a 50/50 split between PS/2 and USB-based keyboards and input devices. Today, it’s closer to 95% in favor of USB. It’s just easier to use and troubleshoot.

Anyway, as I’ve mentioned in previous posts, if third parties have access to your POS system, they have access to everything on it, including credit card data. It doesn’t matter if your processing software encrypts it before it shoots it off to the internet, the data is still available at some point on the computer. That’s why companies like MagTek have created great products like the Dynamag, which can encrypt the data in the MSR itself before sending it to the PC. So even if it does get compromised, all the thieves get is a garbled mess.

With PCI compliance becoming more prevalent, and merchants facing fines for data loss, doing what you can as a business owner to mitigate the damage now is a great way to avoid paying a steep fine later. We have the Dynamag available for a little over 50 dollars, and your merchant account provider can encode it usually for a nominal fee, or even for free. Seems a lot cheaper than a $20,000 fine for a data breach.

Advertisements

As PCI standards have become more stringent, there’s been some hesitation from retailers and restaurant owners. Ensuring your business is compliant can be expensive, and the standards have been a relatively mobile target over the years. One of the big ones on the horizon is table-side payment, which can be a tremendous cost, including mobile computers and software to take payment.

But the upside is your customers can be certain that their card isn’t being compromised, like in this KIRO article of a Red Robin employee skimming cards and then making major purchases with the card data. If you don’t feel like checking out the nitty gritty of the article, the employee had a secondary card reader, probably something that paired with her phone or maybe a custom built device to batch store card data. When she’d ring up the customers, she’d also swipe the card in the device and have all the info needed to perform online purchases.

This is usually the portion of the post where I talk about the great products that make it easy to have table-side payment. And there are some options available, such as the Motorola MC40, or mobile card readers for iOS & Android devices. But the big thing is that these kind of situations can cause problems for business owners, such as an increase in liability insurance, or increased processing fees. So while meeting PCI standards can have a steep initial investment, in the long term you are definitely going to save money and provide a safer and better experience for your customers.

%d bloggers like this: