Via the PCI Guru blog I see quite a few Lucky Supermarket stores have been hit with a wave of card skimmers attached (somehow, no one is clear on the details) to the self check-out devices. The PCI Guru author lists quite a lot of good detail about physical controls around devices like these and gas pumps, specifically about access to the innards of these devices.
When my bank, or more specifically, the ATM that I use most of the time, was updated with a new model in the last few years, I was extremely distraught at the garish, plasticky, piecemeal face to the device. In the past, my ATMs-of-choice have all been pretty solid panel with entirely matching fronts and pretty predictable angles and lines. I should snap a picture of this new one, because it’s awful, has various colors and textures, and upon quick inspection would look like lots of pieces were added on after the fact. It makes me feel dirty every time I use it.
It can’t be used as a PCI control, but there should be weight given to the ability for customers (and any employee) to be able to visually see that something is immediately wrong or out of place. Even the DBIR reveals that weight should be given to being able to detect through suspicion that something is wrong, based on how often 3rd parties notify a breached org or how often someone just notices something weird or out of place. However, this is all defeated if an attacker can get to the innards of the device and place their gear there, out of sight of everyone.
Similar credence can be given to hardware keyloggers attached to computers. It’s one thing to detect them digitally, but how often do important users check the back of their systems?