We learn in science class matter is generally made up of three states - liquid, solid, and gas. Water, for example, can easily take each of those states in nature - rain, ice, clouds.
Today I want to talk about this concept of state, applied to credit card device inspection.
When thinking about inspecting point-of-sale devices and credit card terminals to comply with PCI DSS requirement 9.9, one major consideration is the state (defined as the particular condition that the device is in at a specific time) of the device.
The major states to keep in mind are:
- In Use
- Not In Use
- Under Maintenance
A device can be considered "In Use" if it is available for consumers/cardholders to interact with. The vast percentage of our devices will be "In Use" the majority of their life cycle. Hopefully that's not a surprise. Unless you are a device manufacturer, why would we have a warehouse full of payment devices just sitting around?
In Use devices should be inspected on the regular cadence established based on the location risk (as described here).
Not In Use
These are devices that are part of our inventory, but are not available to be used by customers. Devices can be "Not In Use" for a few different reasons:
- The are in a central storage facility waiting to be shipped to stores
- They are being kept as backup devices if any of the In Use devices fail in the store itself
- They have broken or failed and are beyond repair
Not In Use devices should be inspected before being put into use (for example, adding a new device from storage). This will validate that it is actually a device from our inventory and that no tampering has occurred while the device was in not in use.
They should also be inspected as they are being taken out of use (for example, swapping out a broken device or removing a checkout lane). This way we ensure no tampering has occurred before it's put into storage or document it's condition one final time before retiring the device.
This final inspection is especially important for devices that fall in the P2PE realm.
This state will range from the point where maintenance has been requested on a device until repairs are made or the device is removed (because it can't be repaired).
Knowing whether or not a device is Under Maintenance is an important consideration. In the past, fraudsters have impersonated maintenance staff to swap out good terminals for bad ones or attach skimming devices.
Two things can combat this tactic. First, training our front line staff to be curious and ask questions if someone claims to be maintaining devices. Second, having access to an easy mechanism by which a specific device can be quickly and immediately validated to be Under Maintenance. If validating a device requires a call to the HelpDesk, which requires someone walking half-way across the store, picking up a phone, authenticating themselves, and asking a human a question to which the human has to ... You get it, we've lost the battle. It just won't happen.
Devices that are Under Maintenance should be inspected upon completion of the maintenance before being put back In Use. This will ensure that no tampering or substitution occurred during the repair.
Going back to the example of physical matter, lets talk for a second about rain. Rain is water in a liquid physical state that is falling from the sky. If I see that the status of the weather outside is "it's raining," I'm going to grab an umbrella.
Similarly, we want to be aware of the device's status as it relates to compromise, so we can take appropriate action.
Most of the time, a device;s status will be normal - otherwise we have bigger problems! But, there may be a time when there is suspicion that a device has been tampered with, substituted, or has had a skimming device added. This leads to two different statuses we want to monitor:
- Suspected Compromised
- Confirmed Compromised
If we have staff who are not security experts performing inspections (which I recommend, more here), allowing them to mark devices as "Suspected Compromised" during an inspection enables them to note any suspicious findings for our security experts to confirm or dismiss.
A device that is Suspected Compromised should be fully investigated as quickly as possible as we don't want our customers to be able to use a device that is actually compromised. We want to carefully consider this as we are writing corporate policy to ensure we cover whether or not suspect devices are removed from service and what an acceptable response time is to address these alerts.
If a security expert (or other staffer with the expertise to declare a device as compromised) has validated a suspected compromised alert, our fraud security plan should be immediately put into action.
Here, we'll want to rely on our organization's fraud security policy. Depending on these policies state, we may want to immediately remove the device from use, or potentially work with local and federal police to try an catch the fraudsters behind the tampering.
If there is no policy in place, Visa has a great resource on what to do if there is a compromise.
By using and tracking the above states and statuses on all of our devices as part of our inspections, we can be sure we're not over (or under) inspecting, which saves time, effort, and money for our organization.