Visa's PIN-Entry Bulletin Asks For Bluetooth Signal/Pairing Scans

When Visa issued new security guidelines this month to deal with compromised PIN-entry devices, it asked that retailers "periodically scan for any unidentified Bluetooth signals and pairings at store locations," a move that goes beyond current PCI requirements. Hints of a possible PCI 2.1 rule?

The September 1 Visa Bulletin was primarily to tell merchants that five VeriFone units (Everest Plus units P003-400-01, P003-400-02, P003-400-03, P003-400-12 and P003-400-013) have been ruled "susceptible to compromise" and were indeed "used in tampering and skimming attacks" in the U.S. The list had already included other VeriFone units plus one from Ingenico (the eN-Crypt 2400, also known as the C2000 Protégé) and two from Hypercom (S7S and S8).

"Visa has also received new reports regarding POS PED thefts from merchant locations. This type of fraud typically occurs in merchant locations operating after hours with minimal customer traffic or employee supervision over cash registers; however, any store may be affected by this scheme," the bulletin said. "Recent evidence indicates that these devices were physically removed during business hours and replaced with modified devices designed to skim account and PIN data, which was then transmitted wirelessly to the fraudsters via Bluetooth. In most cases, surveillance footage showed that the suspects were able to remove and install a modified POS PED in seconds."

Walter Conway, StorefrontBacktalk's PCI columnist and a QSA for 403Labs, said the Visa Bulletin is a good one, but he thought it was interesting because of what it did not say. "The bulletin points out what the merchant learned from the video. What they don't say is how long it took someone to watch/monitor the video and find out what happened."

Conway added that the Bluetooth scanning suggestion was wise. "I liked the part about scanning for rogue Bluetooth networks. PCI already requires similar scanning (Req 11) for Wi-Fi," he said. "How long does it take a manager to walk around their POS looking for Bluetooth networks you don't expect? How about using your smartphone? It's not required by PCI, but who said PCI was your entire security policy?"

Mostly, though, the bulletin stated obvious security methods. And yet, the measures—which included weighing the equipment, checking for missing screws, altered seals or extraneous wiring, in addition to verifying the identities of any repair technicians—are worth a reminder or two.

"The onus remains on the merchant to be vigilant. You can't outsource security in your store any more than you can outsource it at home. It's part of your job," Conway said. "POS staff—assuming they are not part of the bad guys' plan—should be trained to observe and report when the POS looks 'different.' Automated systems should detect immediately when a device is removed or an unapproved one attached. It would be good if the system generated an alert, cut off the device and maybe even had somebody respond to/acknowledge the alert."