Taking payments by credit card is an essential part of modern commerce. Please review this article to understand the security measure you should take to protect card holder data in your stores.

Payment Terminals

Crisp supports the following PCI-approved P2PE-certified payment terminals from Adyen:

• Verifone P400 Plus (counter)

• Verifone V400m (mobile)

• Verifone e280 (mobile)

Adyen's P2PE certification is listed on the PCI Security Standards Council website, under https://listings.pcisecuritystandards.org/popups/p2pe_sol_device.php?reference=2020-01213.002 with reference #: 2020-01213.002.

Important:

Do not connect non-approved / non-listed cardholder data capture devices.

It is not possible to change or attempt to change device configurations or settings without specific prior instruction from Crisp. Changing or attempting to change device configurations or settings will invalidate the PCI-approved P2PE solution in its entirety, resulting in possible withholding of funds or suspension of services.

You must check your payment terminals on a regular basis, to ensure the setup is still safe, in good working order and not tampered with. In the section ‘Inspection’ you will find additional information and a process example on how to properly conduct these regular checks.

If you experience any issues or have any questions regarding the installation, usage or inspection of payment terminals, contact Crisp immediately via the contact information in the "up-to-date" contact info below.

Up-to-date contact information:

Reaching out through your support chat on your POS or through your Crisp Dashboard will always ensure that you are reaching the Crisp team. 

You may also contact us by email at
support@crispnow.com

or 

it_security@crispnow.com

You can also reach us by phone, this is best for emergencies:
(385) 317-4006 (24/7 available)

Installation and Connection Instructions

Correct installation of the payment terminals is critical for a successful and secure deployment. Follow the instructions given by Crisp, which have a step-by-step explanation of the setup of each payment terminal type.

If you experience any issues while getting started or have any questions regarding the installation, contact Crisp immediately via the contact information in Addendum A (below).

When selecting the appropriate locations to install the payment terminals, use the following guidelines:

Public access

Ensure that public access to the parts of the payment terminal parts required for payment processing, such as the PIN pad and card reader, is limited. You can achieve this by positioning the payment terminal towards the shopper under the supervision of an employee, while preventing people from observing activities on the payment terminal.

Monitoring

Ensure that payment terminals are observed and/or monitored by authorized personnel. You can achieve this through having multiple staff present, remote controls, via CCTV or security cameras, or on premise via daily checks by authorized staff.

Environment

Ensure that the environment and position of the payment terminal deter any attempt to tamper with or compromise the payment terminal. You can achieve this for example through the use of appropriate lighting, and visible security measures. 

Also ensure that the shopper’s use of the PIN pad is not directly observable from any CCTV or security cameras. You can achieve this through the angle of placement of the payment terminal or through the use of PIN-entry privacy shields provided by the payment terminal vendor. CCTV or security cameras can provide additional insights into attempts to tamper with or compromise a payment terminal, especially if history of the video feed is retained for at least two payment terminal inspection periods.

Handling

Ensure point-of-sale employees are instructed not to take/handle/obtain credit cards from end-customers, to avoid employees illegally obtaining credit card details. End-customers should always by themselves chip/tap/swipe their credit card on the payment terminal. Additionally, employees are not to be allowed to work alone, but have other employees including but not limited to a manager on the premises to prevent potential misuse of end-customers' credit cards.  

Unattended or remote devices

Correct installation of the payment terminals is critical for a successful and secure deployment. Follow the instructions given by Crisp, which have a step-by-step explanation of the setup of each payment terminal type.

If you experience any issues while getting started or have any questions regarding the installation, contact Crisp immediately via the contact information in Addendum A (below).

When selecting the appropriate locations to install the payment terminals, use the following guidelines:

Public access

Ensure that public access to the parts of the payment terminal parts required for payment processing, such as the PIN pad and card reader, is limited. You can achieve this by positioning the payment terminal towards the shopper under the supervision of an employee, while preventing people from observing activities on the payment terminal.

Monitoring

Ensure that payment terminals are observed and/or monitored by authorized personnel. You can achieve this through having multiple staff present, remote controls, via CCTV or security cameras, or on premise via daily checks by authorized staff.

Environment

Ensure that the environment and position of the payment terminal deter any attempt to tamper with or compromise the payment terminal. You can achieve this for example through the use of appropriate lighting, and visible security measures. 

Also ensure that the shopper’s use of the PIN pad is not directly observable from any CCTV or security cameras. You can achieve this through the angle of placement of the payment terminal or through the use of PIN-entry privacy shields provided by the payment terminal vendor. CCTV or security cameras can provide additional insights into attempts to tamper with or compromise a payment terminal, especially if history of the video feed is retained for at least two payment terminal inspection periods.

Handling

Ensure point-of-sale employees are instructed not to take/handle/obtain credit cards from end-customers, to avoid employees illegally obtaining credit card details. End-customers should always by themselves chip/tap/swipe their credit card on the payment terminal. Additionally, employees are not to be allowed to work alone, but have other employees including but not limited to a manager on the premises to prevent potential misuse of end-customers' credit cards.  

Unattended or remote devices

To minimize the likelihood of unnoticed tampering, ensure that payment terminals which are positioned in a remote or unattended location have additional safeguards. You can achieve this by adding physical mechanisms, such as toughened and tamper-evident housings or brackets. Also consider using monitoring and alarm facilities to detect attempts to tamper with the payment terminal.

Payment terminals used in stores need to be physically secured, to prevent unauthorized removal or substitution. You can achieve this with the use of a locking pole mount or tether. If payment terminals cannot be physically secured, make sure there is an alternative way to prevent unauthorized removal or substitution. This can be part of the regular site inspection. During the site inspection, authorized staff  can validate whether the serial number of the payment terminal is the same as originally received and whether the payment terminal has not been removed. 

Crisp will alert customers to follow a local safety check up. Crisp recommends that you do a site inspection every three months. In these regular site inspections, an authorized staff member can verify that there are not any alterations to the payment terminals.  See section' Inspection' for more detailed instructions and an example review log to do the regular check of the payment terminals in addendum B. In case of alterations or questions from the customer, they will contact Crisp in order to make sure the system is safe and good to continue in service. Crisp will document any mishaps. 

Sometimes payment terminals are not actively used, for example when they are being repaired, maintained, or updated. To prevent unauthorized physical access, you need to securely store those payment terminals in a locked room, a locked cabinet, or a safe. Ensure that only authorized staff members are able to access the securely stored payment terminals. 

Also ensure that payment terminals that are not in active use, are included  when a site inspection is performed. The inspection should include verifying whether the stored payment terminal is still present. 

Inspection

Crisp advises that you routinely inspect the payment terminals at your store. Additionally, Crisp will conduct random visits to assist with inspections and maintain a high level of security awareness among customers.

Carry out the following checks:

Visual inspection 

Verify weekly that the payment terminal is visually similar to the pictures shown in the Security Policy of the manufacturer (see the table below).

Physical inspection 

Inspect the payment terminal to identify potential physical tampering. For example, check the payment terminal for missing seals or screws, additional wires, holes in the device, addition of labels, etc. For detailed instructions, refer to the Security Policy of the manufacturer (see the table below).

For future auditing purposes, retaining a record of the payment terminal inspection could be helpful. Crisp recommends that you log terminal inspections using a review log similar to the example terminal log attached at the bottom of this article. The record should at least include the result of the visual inspection and the physical inspection for each individual payment terminal. If and when alterations are found, please report those immediately to Crisp via the contact information in the "up-to-date" contact info section above.

Steps to take, if evidence is found that indicates the payment terminal was tampered with:

1. Do not use the payment terminal for payment processing anymore.

2. Remove the payment terminal from the shopper facing part of the store, to avoid any payment processing.

3. Report any tampering with payment terminals immediately to Crisp via the up-to-date contact information.

4. Clearly label the payment terminal as compromised, to avoid any misunderstanding which could result in the payment terminal being used in the store.

5. Return the payment terminal to Crisp as instructed.

6. Keep a record of returning the payment terminal.

Third-party access to payment terminals:

Payment terminal issues are mostly handled centrally without the need for on-site support. In rare cases there can be a valid reason for a technical support engineer to provide on-site support. We will discuss with you whether this is the case. Crisp, or a recognized field service partner of Crisp, will confirm the name and expected arrival date of the technical support engineer beforehand.

When the technical support engineer has arrived, take the following precautions:

- Validate the identity of the technical support engineer by a government-issued identification document before granting access to the payment terminal.

- Unexpected and unidentified personnel must be denied access to the payment terminal.

- Escort and monitor the technical support engineer when access to the payment terminals is granted.

- Record any access to the payment terminal, making sure the record includes the name of the support engineer, reason for access, and date/time of arrival and departure.

P2PE Encryption Issues

The listed payment terminals encrypt sensitive account data. If an encryption error occurs, the transaction is automatically declined. 

Crisp in collaboration with Adyen continuously monitors encryption or decryption issues. Report issues immediately to Crisp via the contact information in Addendum A.

In case of an encryption or decryption error, Crisp investigates the cause. One of the conclusions of the cause analysis may be to replace the payment terminal. In this case, Crisp will inform you. 

Instructions for troubleshooting a POI device

If a payment terminal becomes faulty during operation, you can find a resolution for the most common errors on the Crisp help website. See: https://help.crispnow.com/support/solutions/articles/48001077435-crisp-troubleshooting-guide-download-.

Find a step-by-step description on how to install, update, and configure payment terminals here. 

Moreover, the Crisp help website explains how to troubleshoot the most common issues. If you cannot resolve the issue using the Crisp help website, you can contact Crisp via the contact details provided in the "up-to-date contact info" section of this article.

Incident Response Plan

Attached to this article you'll find an Incident Response Plan . Crisp recommends that the document, or one like it, is filled out and printed then displayed in a POS location, visible for all employees (for instance in the back office). 

Please check regularly (at least annually) if the contact information is still valid.

Additional Documentation

Additional resources regarding the installation, use, inspection of payment terminals:

Adyen P2PE Instruction Manual: https://www.adyen.com/legal/p2pe-instruction-manual

Security Policies of the payment Terminal Manufacturer:

Example Documents

Example Payment Terminal Device Log (Example Terminal Log.pdf)

You can fill out and hang this document somewhere in your store where employee's will see it regularly. This document will provide instructions to employees on what they should do if they suspect that a payment device has been tampered with.

Incident Response Plan (IRP_TamperedPaymentTerminals.pdf)

You can fill out and hang this document somewhere in your store where employee's will see it regularly. This document will provide instructions to employees on what they should do if they suspect that a payment device has been tampered with.