Credit Card Reader Daily Inspection and Monthly Audit Policy

Published:
April 22, 2025

What You Need To Know

Purpose: To outline the required steps to be taken for daily inspection of Credit Card Reader (CCR) devices and instructions for documentation of daily inspection and monthly audit results.

Daily Inspection Procedure:

  • All CCR devices must be inspected daily before the start of shift.
  • Assigned team members must examine the CCR device that accepts credit and debit card payments daily by inspecting for anything abnormal. Examples might be, but are not limited to: skimmers on the insert or swipe slot (used to collect data from the magnetic stripe of a credit or debit card), keyloggers (a piece of software or a hardware device — that logs every key you press on your keyboard), missing, damaged orbroken seals, damage to the device, damage to external cable or broken port or other materials that could mask damage or tampering.
  • Team members should inspect the CCR PIN-entry devices (PED) daily. Checking for the following:
    • CCR device and PED are in its documented location
    • CCR device’s manufacturer name, model and serial number are correct
    • The color and condition of the CCR device is as expected with no additional marks, or scratches, especially around the seams of the terminal window display
    • The manufacturer’s security seals and labels present with no signs of peeling or tampering
  • The number of connections to the CCR device are as documented, with the same type of color cables, and with no loose wires or broken connectors
  • All CCR devices should be unplugged and secured in a locked drawer at the end of each business day unless mounted or video surveillance is available for the registration desks.
  • Control CCR device and PED access by service support representatives. Allow only validated and authorized service personnel to access CCR devices and PED’s.
  • Unauthorized or unexpected individuals should not be allowed access to the CCR device.
  • Ensure that only authorized support personnel are escorted and monitored at all times while attending the equipment.
  • Administrators/Managers must submit incident reports on ONElink if any signs of device tampering are identified immediately. Notify cash reconciliation and/or finance team.
  • Each month the custodian of the CCR device shall complete the mandatory credit card device inspection attestation (Audit).

Remote Device Use:

  • All team members, contractors, and authorized personnel remotely processing payment card data should use a secure Wi-Fi network. This network should be encrypted using WPA2/WPA3 (open/unsecured networks are prohibited), secured with a strong, unique password (no default passwords), and preferably be a company-provided connection (e.g., VPN). Processing payment card data on public Wi-Fi is strictly prohibited.

Monthly Audit Procedure for Mandatory Credit Card Reader Attestation:

  • All CCR custodians and their managers will receive an email the first Tuesday of each month to initiate the audit. The email will be from “credit_card_reader_audit@hmhn.org” and the subject will be {External}.
  • All team members, contractors, and authorized personnel remotely processing payment card data should use a secure Wi-Fi network. This network should be encrypted using WPA2/WPA3 (open/unsecured networks are prohibited), secured with a strong, unique password (no default passwords), and preferably be a company-provided connection (e.g., VPN). Processing payment card data on public Wi-Fi is strictly prohibited.
  • Every machine listed in the Custodian CCR Audit Tool under the “My Credit Card Readers” icon (the second icon found in the left hand menu list) must be audited every month.
  • Physical inspection instructions:
    • The following are required to be checked for evidence of tampering/surveillance:
      • Serial number sticker
      • All screws (top, bottom, side)
      • Mounting
      • “Skimmer" - on card insert or swipe slot
      • All wire connections
      • Surrounding location for cameras, Smartphones or other recording devices in proximity to and/or directed at the CCR
    • Check CCR for overall functionality:
      • Keypad wear and tear or irregularities
      • Wire connections
      • Clarity of screen (where applicable)
  • Upon completion of inspection, CCR Custodians are required to complete entries for all audit elements in the Appsheet.

Updating the Inventory Using Appsheet:

  • CCR Custodians are required to attest to the credit card reader inspection monthly and update the inventory database
  • CCR Custodians and Custodian Managers will receive a monthly email with a link to credit card reader audit tool dashboard where updates can be made to assigned inventory based on audit results
  • If CCR Custodians do not receive a notification, please contact your supervisor to either update your information as the custodian or confirm that you are listed as the custodian