In recent weeks, major national newspapers carried stories about the confiscation of a speed point device by police in Rundu, linked to a major scam ring. 

This article intends to alert merchants to take proactive measures to protect themselves when processing electronic transactions. 

Point-of-sale (POS) or speed-point machine fraud, as well as the use of stolen banking card details, are serious and growing problems worldwide, resulting in tens of billions of dollars in annual losses. 

These crimes are driven by global connectivity, social engineering and the instantaneous (real-time) electronic transactions.  Imagine receiving an alert for a payment you did not activate or authorise.

Your heart races, and you wonder how it happened.

 Unauthorised purchases and withdrawals are commonplace nowadays. Digital payment fraud is more than just an inconvenience.  It is a rising global challenge that target individuals, businesses and financial institutions alike. 

Modus operandi

Increasingly, criminals and criminal gangs with sophisticated tools are actively targeting vulnerable merchant POS terminals to steal payment card data and personal identification numbers (PINs) for counterfeit (fraud) purposes. These individuals and gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PIN during standard transaction processing.  The impact of this crime affects all involved in card acceptance, undermining payment system integrity and consumer trust. 

Acquirers, merchants and processors must proactively secure POS terminals to prevent tampering, starting with protecting their own banking and transaction details.

Best practices 

Essentially, merchants must maintain the highest level of security for their POS equipment to reduce the possibility of terminal tampering. 

Although there is a tendency to look for that “one best practice” or “silver bullet” that will stop POS terminal tampering incidents, the most effective strategy is to apply as many practices as possible in a form of layered approach that will not negatively affect the business operation.  Such an example is the use of firewalls to protect entry into a business’s databank. Continually tracking and monitoring all POS terminals that accept Mastercard and Visa cards is one practical approach. This involves examining POS terminals and PIN-Entry Devices (PEDs) to identify anything abnormal, e.g., missing or altered seals or screw, extraneous wiring, holes in the device, or the addition of labels, decals (seals) or other material that could be used to mark damage by tampering. 

In addition, the following routine inspection are crucial: 1) confirming whether your POS terminal and its PIN-Entry Devices (PEDs) are in their designated location, 2) confirming POS
terminal’s manufacturer name and or model number, and the POS terminal serial numbers are correct 3) establishing that the number of POS terminals in use are the same as the number of devices installed or assigned 4) ascertaining the colour and condition of the POS terminals are as expected with no additional marks or scratches, especially on the seams or terminal window display 5) verifying that manufacturer security seals and labels present no signs of peeling 6) affirming manufacturer’s security marking and reference numbers as described 7) testing and verifying the number of connections to the POS as expected, with the same type and colour of cables, and with no loose wires or broken connectors, and that the number of connections entering the POS terminal are as expected. 

System vulnerabilities 

No matter the vigilance exercised, POS machines remain vulnerable to criminal activities, primarily skimming and malware-based attacks, which compromise cardholder data for fraudulent use. The same goes for Automated Teller Machines (ATMs). Criminals exploit skimming devices hidden in POS terminals to copy card magnetic strips, and they can also infect machines with malware for data extraction. After obtaining card data through skimming or malware, criminals used it for fraudulent online purchases. 

While Europay, MasterCard, and Visa (EMV) chip technology reduces risks, compared to older magnetic stripes, criminals focus on other fraud methods like Card-not-Present (CNP) fraud and target less secure systems. Certain transactions, such as online or mobile purchases, do not require a physical card at the point of purchase. Data breaches, phishing, and malware can be used to gather card information from various sources.

Criminals install devices on POS terminals to copy magnetic stripe data or use malicious software to capture transaction data, including card numbers and sensitive info. The stolen data are used to create counterfeit cards or commit financial fraud. 

In conclusion, outdated or compromised terminals and inconsistent tech adoption pose security risks. Older POS terminals with vulnerabilities are more susceptible to malware or skimming. Although EMV chip and PIN is a global standard, continued use of the magnetic stripe for backward compatibility in some regions increases vulnerabilities. 

*Maj. Gen. (RTD) J. B Tjivikua is a criminal intelligence analyst.