On June 30 (less than a week from when this is being written), the Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 moves from a best practice to a full component of the standard. This new requirement mandates the periodic physical inspection of all credit card devices (points-of-interaction in PCI speak) in a merchant's environment, with the intent to help merchants combat skimming.
For those who have to deal with this change, you may be wondering, "Isn't the EMV rollout scheduled for the fall going to solve the problem?"
Undoubtedly, EMV (also called "chip-and-pin" or "chip-and-signature" cards) is a more secure technology than the plain magnetic stripe cards. Unfortunately, even if all the merchants or financial institutions will be ready for the deadline in October (which signs are indicating they won't be), France has been 100% EMV for ten years. And one of the biggest skimming thefts so far this year happened less than three months ago there.
What EMV won't protect from is the wholesale swapping out of card terminals for "ghost terminals" like in France. Ghost terminals are devices that look real, but only capture user card data for skimmers when a card is swiped or dipped. However, good physical inspection practices on the devices will. If the taxi drivers or convenience store clerks would have had to validate the devices they were using actually were the ones that were supposed to be there, this scheme would have been stopped right away.
Gas pump skimmers are very similar. While security cameras are great at helping track down perpetrators, someone has to be watching at just the right time to catch the thieves in the act. However, if there were regular, consistent inspections of each pump, where a staff member physically checks that the device is free from tampering (serialized, anti-tampering stickers and tape help considerably here) guards against any malicious manipulation of your terminals/pumps/readers and helps to readily expose skimming devices.
And what about ATMs? The devices being used are understated and made to look like a normal piece of the ATM. Yet, regular physical inspection with the proper reference images (where the ATM is in a state free from tampering or substitution) makes it possible to distinguish even the subtlest changes to the ATM physical appearance.
The fact of the matter is that skimming is an activity that on the rise. It's relatively easy and low risk for the thieves. Devices are cheap and simple to install.
The solution is clear. The only reliable way to combat this activity is by physically inspecting your devices, which is what PCI DSS 9.9 is mandating.
Are you ready to start inspecting?
We've built a tool, SpotSkim, specifically to make credit card device inspections effective, manageable, and reportable - whether you have one device or one hundred thousand. Using SpotSkim will help you ensure that you're compliant with PCI DSS requirement 9.9 and the inspections you're doing are actually protecting your assets.