SPIguard Blog
Compromised Pin Entry Devices delisted
Effective immediately, Ingenico i3070MP01 and i3070EP01 are no longer approved PED terminals and have been removed from the Payment Card Industry Security Standards Council (PCI SSC) approval list. Ingenico i3070MP01 and i3070EP01 point-of-sale (POS) PIN-entry devices (PEDs) have been used in tampering and skimming attacks to capture PIN and magnetic stripe card data.
As a precaution and to prevent further deployments, the PCI-SSC, in coordination with Ingenico, has revoked the approval of these two devices. Merchants should not purchase additional Ingenico i3070MP01 and 3070EP01 terminals. Devices that are already deployed can remain in production and devices that are in inventory, can continue to be deployed.
The following are some best practices, recommended by the PCI-SSC, to prevent skimming:
- Regularly inspecting terminals visually to identify anything abnormal, such as missing or altered seals or screws, extraneous wiring, holes in the device, or the addition of labels or other covering material that could be used to mask damage from device tampering.
- Physically securing terminals and PIN pads to counters to prevent removal, and physically securing cable connections.
- Physically securing under lock and key stored terminals awaiting deployment, and periodically validating the inventory on hand against asset records.
- Using terminal asset tracking procedures for devices deployed, devices awaiting deployment, devices under repair, and devices in transit to location.
- Validating the identity of repair technicians. Unauthorized or unexpected service personnel should be denied access. Authorized and validated repair technicians should be escorted and monitored.
- Periodically weighing the equipment and comparing it to vendors’ specification weight to identify the insertion of bugging devices.
