Skip to main content
  1. Qgiv Help Desk
  2. Support Topics
  3. Card Readers and Kiosks

Card Reader and Kiosk Security Guidelines

When using a Qgiv card reader or kiosk, it's important to keep donors' payment information secure by ensuring your devices are operating properly and haven't been tampered with. This list of best practices for card reader security can help!

If you have any concerns about the security of your card reader or kiosk, don't hesitate to contact us at support@qgiv.com or 888-855-9595. It's always better to be safe than sorry!

Click here for a downloadable handout on cardholder security guidelines.

Contents:

 

How Criminals Can Tamper With Devices

Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered.

Criminals will also try to add skimming components to the outside of devices, which are designed to capture payment card details before they even enter the device. In this way, transactions may still be completed without interruption while the criminal is skimming the payment card information during the process.

Criminals will often pose as authorized maintenance personnel in order to gain access to devices. All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or calling Qgiv for verification. Many criminals will try to fool personnel by wearing maintenance uniforms and carrying tools, and could also be knowledgeable about locations of devices, so it’s important personnel are trained to follow procedures at all times.

Another trick criminals like to use is to send a new system with instructions for swapping it with a legitimate system and “returning” the legitimate system to a specified address.

 

What You Can Do

You can take some steps to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

  • Maintain a list of all devices containing a card reader
    • Include the location of the device
    • Include the make/model of the device (Qgiv card reader or kiosk)
    • Device serial number or other method of unique identification 
    • Select a sample of devices from the list and observe devices and device locations to verify the list is accurate and up to date
    • Interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned, etc.

Regular inspections of devices will help you more quickly detect tampering or replacement of a device. The type of inspection will depend on the device—for example, photographs of devices that are known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed.

Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities.

  • Periodically inspect your devices for tampering or substitution (before each church service or event, for example)
    • Examine documented procedures to verify processes are defined to include the following:
      • Procedures for inspecting devices
      • Frequency of inspections
    • Interview responsible personnel and observe inspection processes to verify:
      • Personnel are aware of procedures for inspecting devices
      • All devices are periodically inspected for evidence of tampering and substitution
  • Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices, including training on the following:
    • Verifying the identity of any third-party persons claiming to be repair or maintenance personnel
    • Not installing, replacing, or returning devices without verification
    • Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
    • Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel, who should then contact the Qgiv Customer Experience team at support@qgiv.com or 888-855-9595

 

Qgiv Devices

The following photos show a Qgiv kiosk and the three types of card readers we offer. Check around your device for evidence of tampering, especially around the card swiping areas.

Kiosk

kiosk_propped.jpg

Lightning card reader

connector.jpg           

Lightning

USB card reader

USB_Card_Reader.png

Bluetooth card reader

Bluetooth_Card_Reader.png

 

Make sure your security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties!

 

Return to top
Didn’t find what you’re looking for? I Need Help
Powered by Zendesk