The Payment Card Industry Security Standards Council has removed two Ingenico S.A. PIN pads from the list of approved PIN-entry devices following reports they are susceptible to breaches.
Visa Inc. alerted its members that the Ingenico i307MP01 and i307EP01devices had been used in tampering and skimming attacks to capture PIN and magnetic-stripe card data, according to a Visa letter obtained by PaymentsSource. They are no longer approved for new installations, the letter says.
Approximately 2,000 of these devices were compromised in Australia, Brazil and Canada, the Visa letter states.
Fraudsters removed the PIN pads from the merchant countertops so they could open the devices and install skimming devices. Most of the time, the devices were removed within approximately a minute. Once the fraudsters had the devices at their locations, they were able to install the skimming equipment without triggering the device’s security switches, Visa says.
It is technically possible that chip data from EMV payment cards could have been retrieved, but there is no evidence that data was targeted, the letter says.
Typically, the fraudsters operated after a merchant’s busiest period when there was minimal customer traffic or employee supervision, Visa says.
In a statement, Visa says it is aware of the removal of the Ingenico devices from the approved list and that “several versions of Ingenico terminals have come under review for potential compromise vulnerabilities.”
Visa advises merchants using these devices to inspect them to ensure they have not been tampered with, to fasten them in place and to ensure the identities of repair technicians, among other measures.
Inquiries made to Ingenico were not returned by PaymentsSource’s deadline.
Additionally, PIN-entry devices from Hypercom Corp.—the S7S and S8— and VeriFone Systems Inc.—PINpad 101, 201 and 2000—could not be used on Visa’s network after July 1, according to a publicly released Visa bulletin. Visa says these devices are untested and unapproved by the PCI council.