Resources · Resource
Merchant POS Compromise Checklist
A four-phase incident response checklist for merchants who suspect POS terminal tampering — from immediate isolation to regulatory notification.
ATM Fortify Security Team
Payment fraud & ATM security specialists — Updated February 2026
Last Updated: February 2026
For use when you suspect a POS terminal has been tampered with or your payment systems may have been compromised.
First action: Do not process further card transactions on the suspected terminal. Do not clean or power off the terminal. Call your acquiring bank's fraud/compromise line immediately.
PHASE 1: IMMEDIATE (Within 30 Minutes of Discovery)
Step 1: Take the Suspected Terminal(s) Offline
- Stop processing card transactions on the terminal immediately
- Do NOT power it off (unless instructed by acquirer — forensic data may be lost)
- Do NOT clean or tamper with the terminal
- If an attached device (skimmer/overlay) is visible: do not remove it — it is evidence
- Redirect customers to a different terminal or to cash
Step 2: Call Your Acquiring Bank
- Call the acquirer's fraud/compromise notification line (from your merchant agreement)
- Have ready: your merchant ID, terminal ID, and a description of what was found
- Ask for: incident reference number (record it)
- Follow their guidance — they may instruct you not to process any cards until investigation is complete
Step 3: Preserve CCTV Footage
- Immediately back up CCTV footage from the relevant period:
- The previous evening / overnight (most likely installation window)
- Any time during the day when staff attention may have been divided
- Note: CCTV systems often loop and overwrite — act within hours to preserve footage
- Do not allow footage to be deleted, reviewed without documentation, or shared with anyone other than law enforcement or your acquirer
Step 4: Call Local Law Enforcement
- File a police report
- Provide: terminal location, ID, time of discovery, description of what was found
- Note: your acquirer and potentially your data protection authority may require the crime reference number
PHASE 2: INVESTIGATION SUPPORT (Within 24 Hours)
Step 5: Establish the Compromise Window
- Check your daily inspection records — when was the terminal last verified as clean?
- The window between the last clean check and discovery = your compromise period
- Pull transaction logs for the compromise period — this is your approximate scope of affected cards
Step 6: Review All Terminals
- Inspect ALL other terminals in your location using the 7-point visual check POS Terminal Tampering: How to Inspect Your Devices Every Day
- Verify serial numbers of all terminals against your asset register
- Check cables and connections for any unfamiliar devices
Step 7: Document Everything
- Written description of what was found, by whom, at what time
- Photographs of the terminal and surrounding area (do not touch the device itself)
- Staff statements — who was present, what they observed, any unusual visitor activity
- Transaction logs from the compromise period
- Record of all actions taken, in order, with timestamps
Step 8: Check for Other Entry Points
- Review network connections to your payment terminals — any unfamiliar devices?
- Check your broadband router and any connected equipment for unfamiliar additions
- If you use remote management or remote access tools for your POS system — review access logs
PHASE 3: REGULATORY AND NOTIFICATION OBLIGATIONS (Within 72 Hours)
Step 9: Assess Data Exposure
- In consultation with your acquirer: determine approximately how many cards may have been at risk
- Note: your acquirer will typically lead on card scheme notification (Visa/Mastercard have their own compromise alert processes)
Step 10: Data Protection Notification (GDPR — EU/UK Merchants)
Under GDPR, a personal data breach must be reported to your data protection supervisory authority within 72 hours of becoming aware of it, IF it is likely to result in a risk to the rights and freedoms of individuals.
- Assess: is card data considered personal data that was breached? (Yes, in most interpretations)
- Notify your data protection officer (DPO) if you have one
- Notify your national data protection authority within 72 hours if required
- UK: ICO — ico.org.uk (report a breach)
- EU: Your national Data Protection Authority
- Assess whether affected customers must be notified — seek legal advice if uncertain
Step 11: Customer Notification
- Await guidance from your acquirer and legal counsel on whether and how to notify customers
- If required: notify customers that their card data may have been at risk during the identified period, advise them to monitor their accounts and contact their bank
PHASE 4: REMEDIATION AND PREVENTION (Post-Investigation)
Step 12: Replace Compromised Terminals
- Replace compromised terminals only with certified, verified hardware from your acquirer or payment provider
- Verify serial numbers of replacement terminals against documentation before deploying
- Do not reuse compromised terminals
Step 13: Strengthen Your Security
- Review and update your daily terminal inspection procedure
- Implement a formal asset register if you do not already have one
- Add serial number verification to your daily opening checklist
- Update your staff training — particularly on visitor verification procedures
- Consider additional physical security measures: terminal mounting, access control
- Review your PCI DSS compliance status — consider a fresh assessment POS Security for Merchants: The Complete Guide
Step 14: Review and Update Your Incident Response Plan
- Document lessons learned
- Update your written incident response procedure
- Circulate to all relevant staff
QUICK REFERENCE: KEY CONTACTS
| Contact | Who to Call | When |
|---|---|---|
| Acquiring bank fraud line | [Your acquirer's number from merchant agreement] | Immediately on discovery |
| Local police | Emergency or non-emergency as appropriate | Immediately |
| Data protection authority | ICO (UK) / national DPA (EU) | Within 72 hours if personal data breached |
| Card schemes | Via your acquirer | Your acquirer initiates |
| Legal counsel | Your solicitor/lawyer | If customer notification or significant liability involved |
SIGNS THAT TRIGGERED THIS CHECKLIST
Use this section to record your initial findings:
- Visual tamper: describe what was seen
- Customer complaint about charge: date, amount, card used
- Serial number mismatch: terminal ID, registered vs found number
- Unusual transaction pattern in logs: describe
- Other: describe
Last Updated: February 2026 | This checklist provides general guidance. Your acquirer's specific instructions take precedence. Seek legal advice for regulatory notification obligations.
POS Security for Merchants: The Complete Guide — POS Security Complete Guide
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.