Payment terminals — the physical devices through which customers insert, tap, or swipe their cards — are a uniquely vulnerable component of the payment ecosystem. Unlike software vulnerabilities that can be patched remotely, a card skimming device installed on a payment terminal requires physical presence to detect and remove. The consequences of a successful skimming attack are immediate: real-time capture of card data from every transaction processed through the compromised device.
Types of POI Device Attacks
Understanding the attack types that POI security controls defend against:
| Attack Type | Method | What Is Stolen | Prevention Control |
|---|---|---|---|
| External skimmer overlay | Plastic overlay placed over legitimate card slot; reads magnetic stripe as card is inserted | Magnetic stripe data (Track 1/2), enabling card cloning | Visual inspection of card slot before and during service; tamper-evident seals |
| Internal skimmer | Device inserted inside the terminal through the card slot or USB port | Magnetic stripe data; sometimes PIN data | Regular physical inspection; tamper-evident internal seals; PIN shield inspection |
| PIN capture overlay | Overlay on PIN pad that records key presses | PIN values matched with skimmed track data for full card clone | PIN pad inspection; tamper-evident seals on PIN pad |
| Terminal substitution | Legitimate terminal replaced with criminal-owned look-alike device | All data processed — magnetic stripe, chip data, PIN | Device serial number verification against inventory before accepting replacement |
| Logical compromise | Malware installed on connected terminal through network or USB | Real-time PAN and PIN data from all transactions | Terminal firmware updates; network segmentation; endpoint security |
POI Device Inventory Program
All POI devices in the merchant environment must be maintained in a device inventory. Required inventory fields for each device:
- Device make, model, and serial number
- Physical location (branch, register number, lane)
- Assigned to (employee or station ID)
- Date placed in service
- Date of last inspection
- Terminal ID (TID) assigned by acquirer
- Device firmware version
- Notes: any observed tamper indicators; maintenance history
The device inventory must be reviewed at least annually and updated whenever devices are added, moved, replaced, or retired. Consider using a physical asset tagging system (barcodes or QR codes) to link physical devices to the inventory record.
| KEY IDEA | Device serial number verification is the primary defense against terminal substitution attacks. Every person who interacts with a POI device — service technicians, cleaners, maintenance staff — has the opportunity to substitute a device. Training personnel to verify the serial number of any device they work near (and to immediately report mismatches) is as important as technical controls. |
POI Inspection Program
Inspection Frequency
Personnel at checkout locations must inspect POI devices at a minimum of once every three months. High-risk locations (unattended kiosks, locations with high customer or contractor foot traffic) should be inspected more frequently — monthly or even weekly.
Inspection Checklist
The inspection checklist should cover:
- Card reader: Check for unusual protrusions, overlays, or modifications to the card slot entry area
- PIN pad: Check for unusual overlays on keypad; check that the keypad surface matches the device model
- USB ports: Check for any inserted USB devices or unusual cables
- Serial number: Verify device serial number matches the inventory record
- Tamper-evident seals: Check that all manufacturer seals are intact and have not been pierced or replaced
- Overall appearance: Device looks identical to other devices of the same model; no unusual wear patterns
Reporting Suspected Tampering
Personnel must be trained on what to do if they suspect tampering: do not process transactions on the potentially compromised device, remove the device from service immediately, contact the security team or manager, preserve the device for forensic examination, and report the incident through the incident response process.
Tamper-Evident Seals
Tamper-evident seals on POI devices provide visible indication of physical entry attempts. Seals are applied over screw heads, access panels, and card reader openings. If a seal is broken or shows evidence of removal and reapplication, the device must be quarantined and inspected. Document seal serial numbers in the device inventory — seals with unique serial numbers are more difficult for attackers to replicate than plain seals.
Attending to Skimming Threats in Indonesia
Card skimming at ATMs and POS devices has been documented across Indonesia's retail and banking sectors. Indonesian banks with large ATM and POS device estates face significant operational challenges in the inspection program. Best practices for large estate management: train branch managers to perform and document inspections, use a mobile inspection app that guides the inspector through the checklist and captures photos, report inspection completion through the GRC platform for compliance evidence, and install security cameras covering all POI devices (both for incident detection and deterrence).
| IMPORTANT | For Indonesian merchants and banks operating in high-traffic tourist areas (Bali, Jakarta commercial districts, airport terminals), the skimming risk is elevated — these locations attract criminal activity precisely because of transaction volume. Inspection frequency should be increased in these locations, and security camera coverage should be confirmed to include clear views of all payment terminals. |
| Bitlion has assisted Indonesian retail banks and merchants with POI device management programs that cover thousands of devices across hundreds of branches. The operational key is making the inspection process fast enough that it actually gets done — a 5-minute, photo-documented inspection via mobile app is far more likely to be completed daily than a 30-minute written checklist review. Technology-enabled compliance makes the compliance more real. | |