PCI DSS: New aspect on physical security
Oct 13th, 2008 by Jesper Kråkhede
I read a very interesting article today regarding a very interesting manipulation of payment terminals. The fraud was very complicated and had an international reach.
From a PCI DSS perspective this is more or less not handled today. Yes, the terminals should be PED approved but what if the supplier has a security breach or if you have a break-in where someone manipulates your terminals? How could you prove that YOU did not have a breach in you payment security?
From my point of view it becomes important to have the PED: s sealed directly from the supplier and most possible the payment application server as well (the server communicating with the bank). How could you otherwise be sure that you are not blamed?