What can Goldilocks teach us about inspections?

You remember the tale of Goldilocks, don't you?

A young girl, Goldilocks, is skipping along her merry way and stumbles upon a house in the woods. She knocks, gets no answer, and decides to check out what's inside.

While sneaking about, our cute little trespasser heads into the kitchen and finds some porridge waiting. Wouldn't you know it, with all that skipping in the woods Goldilocks worked up an appetite.

She tries the first bowl, but it's too hot. Well, on to the second bowl. It turns out to be too cold. Undeterred, Goldilocks tries the third bowl - just right!

The story goes through a few iterations of this process with chairs (too big - too small - just right!) and beds (too hard - too soft - just right!), as well. The bears return, find her, and she makes it out through the nearest window and off into the night.

The lesson
What does this have to with credit card terminal inspection?

The lesson to learn is about balance.

Physical inspection of credit card terminals is a task that is time consuming. If we spend too much time, it's waste of resources (too hot!). But if we spent to little time, we expose our organization to undue risk (too cold!). The ideal scenario would be to find the point at which the level of effort is equal to the risk of attack (just right!).

How to find the right mix
To find this sweet spot where risk and effort are balanced, we need to address the following:

  1. Assess the risk of attack
  2. Select an inspection period that correlates to that risk
  3. Inspect only the assets that are appropriate

Assessing risk
Since skimming, tampering, and substitution are all physical acts, they are by their very nature geographical. Therefore, it would be reasonable to assume that devices that are close together (within the same store for example) would all have a similar risks.

This is what the PCI SCC suggests in the "Skimming Prevention: Best Practices for Merchants". Appendix A of the document is an assessment of location risk which provides a high, medium, or low risk rating based on a number of questions about the location.

This assessment should be done at each of our locations (different geography, potentially different risk). While this may seem like a huge investment of time initially, it will pay off in the end by ensuring we aren't over (or under) inspecting.

Selecting an inspection period
Once we have an idea of the risk at our locations, how do we figure out what the right period is for that risk?

Both Coalfire Systems and HALOCK Security Labs, each in their own white paper on the requirement (each available here), provide the guidance that appropriate inspection periods are:

Risk Frequency
High Daily
Medium Weekly
Low Monthly

There have been customers I've spoken to who decided to inspect at every shift change based on their risk. This is mostly in the fuel sector, which is a major skimming target. Of course, the flexibility to adjust as makes sense is built into the requirement.

Selecting the right asset
While we are conducting inspections it would make no sense to inspect everything all the time. Just as important as risk, is determining what the current state of usage of the thing that is being inspected. I'll take a deep dive into this idea next week.

Updating risk
One final word on assessment and risk - at least once each year the location risk should be reviewed and updated if anything has changed that would effect the risk rating.

By taking the time to thoughtfully assess our risk and take appropriate action based on that assessment, we save time, effort, and money, while ensuring the appropriate level of security throughout our organization.

Not too hot, and not too cold, but just right.