Policy Statement
All users of Opta Pay are responsible for safeguarding their POS (Point-of-Sale) Terminals
and PIN pads (hereinafter "payment devices"), and must comply with the safeguarding parameters and
standards defined in this Policy. Any payment devices found or believed to be tampered with
and/or otherwise suspicious should be reported immediately to Lucus Labs by sending an email
to
security@lucuslabs.com and by calling the
phone number at the top of this page.
Reason for Policy
The routine inspection of payment devices for identifying possible tampering is one of several
primary safeguards employed to protect cardholder data. If a payment device is compromised,
any credit/debit cards used with that payment device after the compromise should also be considered
as being compromised.
The parameters in this policy are designed to comply with legal and regulatory standards,
including, but not limited to, the Payment Card Industry Data Security Standard (PCI DSS).
Entities Affected by this Policy
All Opta Pay users, whether employees or merchants of Lucus Labs, using payment devices that make
contact with customers' credit cards for taking payments.
Responsibilities
Device owners and operators (including, but not limited to, cashiers & clerks) are required to
inspect payment devices on a daily basis for any tampering or unapproved / unexpected replacement of Terminals,
POS's, and other payment devices that are used to read credit cards. The below list outlines steps to
inspect and protect payment devices from tampering or replacement by any unauthorized parties:
-
Before bringing a payment device online before any shift, the payment device's ID / Serial Number should be
verified. This is done by comparing the Serial Number of the payment device with the serial numbers
recorded in Opta Pay and/or the POS Inventory list stored on file by the Merchant.
-
Devices not in use should be stored in a secure location with minimal access and only accessible
by authorized personnel.
-
Only authorized personnel should be allowed access to any POS, Terminal, PIN pad, or other hardware
payment device.
-
Merchants should document date, time, and name of individual(s) who are provided
access to any device.
-
Employees should inspect all payment devices for physical tampering daily or at the beginning
of their shift.
-
Check for signs the screen, keypad, magnetic swipe, chip reader, and NFC surfaces have
been altered in any way or show signs of tampering (such as previously unknown scratch
marks around the edges or missing screws).
-
In the event a payment device requires repair or replacement, contact us by calling the number
at the top of this page or by sending us an email, at which point we will work with you and
the vendor to repair or replace the device at the Merchant's expense.
-
Promptly report any suspicious behavior, including suspicion of attempted tampering of a device,
unplugging of cables, scratching, etc., to a manager, and follow the steps below for reporting a
suspected device compromise.
Unattended Payment Devices
Unattended payment devices pose a high risk and must be avoided at all times. Having payment devices
unattended could lead to the following, but not limited to, implications:
-
stolen / compromised payment devices;
-
a good payment device being swapped for a compromised device running malware or other malicious code;
-
service personnel posing as technicians tampering with a payment device and exchanging it with a malicious device; or
-
added overlays with skimming and key-logging capabilities,
all of which could lead to stolen / compromised cardholder data.
Payment Device Checklist
To minimize the risk of unauthorized individuals tampering with a payment device, the following checklist should
be verified regularly (at least daily):
-
Is the payment device in its designated / intended / original location?
-
Is the payment device name and model number / serial number correct?
-
Do they match those on file on-site and with Opta Pay?
-
Is the color and condition of the payment device as expected, with no additional marks or scratches (around
seams or terminal window display)?
-
Is the payment device missing any screws?
-
Are the manufacturer's security seals and labels present with no signs of peeling or tampering?
-
Is the number of connections to the payment device as expected, with the same type and color of cables, and
with no loose wires or broken connections?
-
Is the payment device only being used by authorized personnel?
-
Are there any payment devices located where an additional or unauthorized camera or NFC equipment could be hidden near the payment device?
-
Are there any unauthorized electronic devices (such as phones, tablets, etc) located near the payment device?
-
Has there been any suspicious behavior around the payment device while it was unattended?
Reporting a Suspected Device Compromise
If you believe a hardware device or customer payment card has been compromised, promptly notify any
of the following support teams:
-
Opta Pay Security
-
Opta Pay Support
You can also notify us from our website at
https://optapay.com/#contact
Filing or reporting a security incident can always be done without fear or concern for retaliation.