Terminal Security
Before diving into terminal security, understand:
- Card-Present Fraud patterns
- Card-Present Terminal Decisions for terminal selection
- PCI DSS Compliance requirements
Your terminal is a target. Skimmers, malware, and tampering can drain accounts before anyone notices.
The good news: most attacks are preventable with basic vigilance and proper configuration.
On this page
The Threat Landscape
Attack Types by Frequency
| Attack | How Common | Detection Difficulty | Typical Loss |
|---|---|---|---|
| Skimmers/overlays | Common | Medium (visual inspection) | High |
| POS malware | Common | Hard (no visible signs) | Very High |
| Employee theft | Uncommon | Easy (patterns visible) | Medium |
| Terminal swap | Rare | Medium | High |
| Shimmers | Growing | Hard (hidden inside) | High |
Physical Attacks
Skimmers
What they are: Devices placed over or near the card slot that capture magnetic stripe data when cards are swiped.
Types:
| Type | Where Installed | What It Captures |
|---|---|---|
| Overlay skimmer | Over card slot | Mag stripe data |
| Pinhole camera | Near keypad | PIN entry |
| Keypad overlay | Over keypad | PIN entry |
| Internal skimmer | Inside terminal | Mag stripe data |
Detection:
Daily terminal inspection:
□ Wiggle the card slot - is it loose or different?
□ Check for unusual bumps or additions
□ Compare to a known-good terminal photo
□ Look for tiny holes (camera placement)
□ Feel the keypad - does it seem thicker?
□ Check for anything blocking the tamper labels
Shimmers
What they are: Paper-thin devices inserted INTO the chip slot that intercept chip card data.
Why they're dangerous:
- Not visible from outside
- Can capture chip data
- Only detected by card reading issues
Detection:
- Cards feel tight or don't insert smoothly
- Increased chip read failures
- Look inside slot with flashlight
Terminal Swap
What it is: Attacker replaces your terminal with a modified one that looks identical but captures all data.
Prevention:
- Secure terminals physically (bolts, cables)
- Serial number inventory
- Tamper-evident seals
- Regular serial number verification
POS Malware
POS malware is software that captures card data from terminal memory before encryption.
How It Works
The vulnerability window: After the card is swiped but before the data is encrypted and sent to the processor, it exists briefly in terminal memory. Malware captures it there.
Common POS Malware Families
| Malware | How It Spreads | What It Does |
|---|---|---|
| Backoff | Remote access exploit | Memory scraping |
| PoSeidon | Phishing, weak RDP | Memory scraping + keylogging |
| RawPOS | Supply chain, infected updates | Memory scraping |
| TreasureHunter | Phishing | Memory scraping, exfiltration |
How Malware Gets In
| Vector | How to Prevent |
|---|---|
| Weak remote access | Disable RDP, use VPN, strong auth |
| Phishing | Employee training, email filtering |
| Supply chain | Verify software sources, signed updates |
| Weak passwords | Strong credentials, no defaults |
| Unpatched systems | Regular patching |
Prevention: Network Security
Segment Your Payment Network
Payment terminals should be on their own network segment:
Internet
|
[Firewall]
|
├── Corporate network (workstations, email)
└── Payment network (terminals only)
|
[Payment terminals]
Why this matters:
- Malware on a workstation can't reach terminals
- Limits lateral movement
- Easier to monitor
Terminal Network Rules
Payment network segment rules:
□ No internet access except to processor IPs
□ No inbound connections from corporate network
□ No peer-to-peer between terminals (usually)
□ Logging all traffic in and out
□ Whitelist only necessary ports (usually 443)
Secure Remote Access
If terminals need remote management:
| Do | Don't |
|---|---|
| VPN with MFA | Direct RDP exposure |
| Whitelisted IPs | "Open to internet" |
| Session recording | Unmonitored access |
| Individual accounts | Shared credentials |
Prevention: Physical Security
Terminal Placement
| Placement | Risk Level | Why |
|---|---|---|
| Fixed, visible counter | Low | Staff can monitor |
| Fixed, low visibility | Medium | Harder to watch |
| Mobile (customer hands) | Medium | Out of sight briefly |
| Unattended (kiosk) | High | No supervision |
Physical Controls
Physical security checklist:
□ Terminals bolted or cabled to counter
□ Tamper-evident seals on terminal housing
□ Serial number documented and verified
□ Daily visual inspection (opening, closing)
□ Surveillance camera covering terminal
□ Staff trained on what to look for
Tamper Detection
Most modern terminals have tamper detection:
- Opens housing = terminal bricks
- Movement detection alerts
- Mesh protecting internals
Check: Is your terminal's tamper detection enabled and monitored?
E2EE vs. P2PE
Both encrypt card data at the terminal. The difference is validation and scope reduction.
E2EE (End-to-End Encryption)
What it is: Terminal encrypts card data before it hits your network. You can't decrypt it.
Limitation: Not validated by PCI SSC. Doesn't automatically reduce PCI scope.
P2PE (Point-to-Point Encryption)
What it is: E2EE that's been validated by the PCI Security Standards Council.
Benefit: Using a PCI-validated P2PE solution can dramatically reduce your PCI scope (SAQ P2PE vs. SAQ D).
Comparison
| Factor | E2EE | P2PE (validated) |
|---|---|---|
| Encryption at terminal | Yes | Yes |
| You can decrypt | No | No |
| PCI SSC validated | No | Yes |
| Scope reduction | Maybe | Guaranteed |
| Cost | Lower | Higher |
| Device options | More | Fewer |
Recommendation: If you're Level 1 or dealing with significant PCI burden, P2PE validation is worth the premium.
See E2EE vs P2PE for detailed comparison.
Employee Training
Your staff are your first line of defense.
What Staff Should Know
Staff training checklist:
□ How to inspect terminals (daily)
□ What skimmers and overlays look like
□ Who to report suspicious activity to
□ Never let unknown technicians access terminals
□ Verify technician identity (call company directly)
□ Don't plug unknown USB devices into POS systems
□ Report unusual terminal behavior
Social Engineering Red Flags
| Scenario | Red Flag |
|---|---|
| "I'm from [processor], here to update your terminal" | Unscheduled visit |
| "I need to install this update on your register" | Unknown software |
| "Give me your terminal to check something" | Taking terminal away |
| "I need your admin password to fix an issue" | Password request |
Rule: Always verify technicians by calling your processor/vendor directly using a known number (not one they give you).
Incident Response
Signs of Compromise
| Signal | What It Might Mean |
|---|---|
| Cards getting declined that usually work | Terminal issue or tampering |
| Customer complaints of fraud after visiting | Card data stolen at your location |
| Card brand notification of fraud cluster | Common Point of Purchase (CPP) identified |
| Terminal behaving strangely | Possible malware |
| Unknown network traffic from payment segment | Exfiltration attempt |
If You Suspect Compromise
Immediate actions:
□ Stop using the suspected terminal
□ Preserve evidence (don't wipe or reset)
□ Document everything observed
□ Contact your processor
□ Check other terminals for similar issues
□ Review recent transactions for patterns
□ Start Breach Response if confirmed
See Breach Response Playbook for full incident response.
Terminal Inspection Checklist
Use this daily (opening and closing):
Visual Inspection:
□ Terminal looks same as yesterday?
□ No new devices attached?
□ Card slot feels normal?
□ Keypad feels normal thickness?
□ No unusual holes or additions?
□ Tamper seals intact?
□ Serial number matches inventory?
□ Cable connections secure?
Functional Check:
□ Terminal powers on normally?
□ Test transaction works?
□ No unusual screens or messages?
□ Receipts printing correctly?
Tip: Take photos of your terminals for comparison. Keep photos in a secure location.
Test to Run
Terminal security audit (monthly):
Network:
□ Are terminals on segmented network?
□ What IPs can terminals reach?
□ Is remote access secured (VPN, MFA)?
□ When was terminal software last updated?
Physical:
□ Are terminals physically secured?
□ Are tamper seals in place and intact?
□ Serial numbers match inventory?
□ Staff trained on inspection?
Encryption:
□ What encryption method (E2EE, P2PE)?
□ Is it working (test transaction)?
□ When were encryption keys last rotated?
Scale Callout
| Business Type | Focus |
|---|---|
| Single location, staffed | Daily inspection, basic network hygiene |
| Multiple locations | Centralized monitoring, regular audits, standardized config |
| Unattended terminals (kiosks) | Heavy physical security, cameras, more frequent inspection |
| High-value transactions | P2PE, network segmentation, enhanced monitoring |
| Franchise/distributed | Training consistency, compliance verification, audit program |
Where This Breaks
-
Unattended terminals. Kiosks and unattended payment points are high-risk. Physical security, cameras, and frequent inspection are essential.
-
Third-party access. Technicians, cleaners, and delivery people can all access terminals. Verify identities and supervise access.
-
Old terminals. Legacy terminals may lack tamper detection, encryption, or security updates. Replacement may be cheaper than the breach.
-
Franchisee compliance. If you're a franchisor, your franchisees' terminal security is your brand risk. Audit and enforce.
Next Steps
Basic security?
- Implement daily inspection → Use the checklist above
- Segment your network → Isolate payment systems
- Train your staff → What to look for, who to call
Upgrading security?
- Evaluate P2PE → E2EE vs P2PE
- Add monitoring → Network traffic, terminal health
- Regular audits → Monthly using the checklist
Had an incident?
- Start breach response → Breach Response Playbook
- Preserve evidence → Don't reset or wipe
- Contact processor → They'll guide investigation
See Also
- Card-Present Fraud - CP fraud patterns
- Card-Present Terminal Decisions - Choosing terminals
- E2EE vs P2PE - Encryption comparison
- PCI DSS Compliance - Compliance requirements
- Breach Response Playbook - Incident response
- Terminal Operations - Day-to-day terminal management
- Processor Management - Working with your processor