Jeff Schorr
Working Smarter
Working Smarter

9.9

Coalfire Affirms SpotSkim

Coalfire Systems, Inc., a leading, independent cybersecurity and risk management firm, recently published a perspective white paper entitled "SpotSkim as a PCI DSS Requirement 9.9 Compliance Tool" which affirms SpotSkim as a solution that will help reduce effort and increase an organization's ability to fully comply with PCI DSS requirement 9.9.

In their evaluation, they found that "(m)aintaining security and compliance becomes simpler with the use of SpotSkim" and that "SpotSkim can alleviate a large portion of the burden of inspection" for organizations.

The full white paper can be downloaded here.

SpotSkim is the only automated point-of-sale device inspection tool available today. It allows anyone in your organization to inspect any device in a simple, effective, and consistent manner. Simultaneously, it allows a management of the process with greater certainty, clarity, and ease.

You can learn more about PCI DSS requirement 9.9 on our resources page.

If you're ready to see how SpotSkim could make compliance with the physical inspection requirements of the PCI DSS simple and cost-effective, contact us today!

Who should be doing your inspections?

When talking to potential customers about PCI DSS requirement 9.9, one of the areas I consistently hear merchants struggle with is the question of who should actually be doing these inspections.

Usually, the suggestion will be made that their security staff, or maybe the manager at each retail location, should inspect. At first glance both seem like good options. However, the security team is small (relative to the larger organization) and their time is extraordinarily valuable. Location managers already have a huge daily task list and like the security experts, their time is expensive.

So who is the right person?
The right person is the one that is standing in front of the device day in and day out (or that services it, if it's an unattended terminal). The associate, or cashier, or clerk, or attendant, or whatever name the role holds in your organization.

Why?
There are several reasons:

  • Availability - There is likely somewhere close to a 1:1 ratio (or one-to-a-few) of these employees to the devices that need inspected
  • Awareness - These employees are the most likely to know what the device looks like (they work with it the most) and notice if something looks funny
  • Cost - It's pretty likely that their time is much less expensive than your security team or the managers

But wait, they don't have any security experience. Maybe they are only seasonal workers. Maybe, they are forgetful and can't remember to inspect. All valid points. And all completely don't matter with the right tools.

Leverage technology
Have you seen the stats for YouTube recently? They are HUGE.

Three hundred hours of video are uploaded per minute. One billion total users on the platform. Four billion video views per day. Six billion hours of video watched per month.

Not too long ago (YouTube has been around for 10 years this year), video production and distribution were closed to the average person. You needed expensive, professional grade equipment and years of experience to produce and edit even a short live video. Fast-forward to today; all the tools you need to create a video are cheap (or free) and distribution is as easy as uploading the file to YouTube for the world to see.

Technology and information availability have forever changed the nature of the video business, making it simple and available to everyone.

Why does that matter for device inspection?
The state of technology today allows us to make information readily available and at the same time control the process.

Our SpotSkim solution, as an example, combines an app that guides and validates the inspection process with a web portal for management of the entire device environment as well as reporting.

This makes it possible for consistent, effective inspections to take place no matter who is inspecting.

Why Is Physical Inspection Important?

Skimmers in France make off with €3.2 million.

The Florida Department of Agriculture finds 103 skimmers on gas pumps throughout the state.

Every day more banks and ATM networks (in the US and abroad) are reporting skimmers found on their machines.

On June 30 (less than a week from when this is being written), the Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 moves from a best practice to a full component of the standard. This new requirement mandates the periodic physical inspection of all credit card devices (points-of-interaction in PCI speak) in a merchant's environment, with the intent to help merchants combat skimming.

For those who have to deal with this change, you may be wondering, "Isn't the EMV rollout scheduled for the fall going to solve the problem?"

Undoubtedly, EMV (also called "chip-and-pin" or "chip-and-signature" cards) is a more secure technology than the plain magnetic stripe cards. Unfortunately, even if all the merchants or financial institutions will be ready for the deadline in October (which signs are indicating they won't be), France has been 100% EMV for ten years. And one of the biggest skimming thefts so far this year happened less than three months ago there.

What EMV won't protect from is the wholesale swapping out of card terminals for "ghost terminals" like in France. Ghost terminals are devices that look real, but only capture user card data for skimmers when a card is swiped or dipped. However, good physical inspection practices on the devices will. If the taxi drivers or convenience store clerks would have had to validate the devices they were using actually were the ones that were supposed to be there, this scheme would have been stopped right away.

Gas pump skimmers are very similar. While security cameras are great at helping track down perpetrators, someone has to be watching at just the right time to catch the thieves in the act. However, if there were regular, consistent inspections of each pump, where a staff member physically checks that the device is free from tampering (serialized, anti-tampering stickers and tape help considerably here) guards against any malicious manipulation of your terminals/pumps/readers and helps to readily expose skimming devices.

And what about ATMs? The devices being used are understated and made to look like a normal piece of the ATM. Yet, regular physical inspection with the proper reference images (where the ATM is in a state free from tampering or substitution) makes it possible to distinguish even the subtlest changes to the ATM physical appearance.

The fact of the matter is that skimming is an activity that on the rise. It's relatively easy and low risk for the thieves. Devices are cheap and simple to install.

The solution is clear. The only reliable way to combat this activity is by physically inspecting your devices, which is what PCI DSS 9.9 is mandating.

Are you ready to start inspecting?

We've built a tool, SpotSkim, specifically to make credit card device inspections effective, manageable, and reportable - whether you have one device or one hundred thousand. Using SpotSkim will help you ensure that you're compliant with PCI DSS requirement 9.9 and the inspections you're doing are actually protecting your assets.

To learn more, click here or contact us today.

The banner image above was taken by Mighty Travels and is being used under CC 2.0.

In Case You Missed The Webinar

Last week, our founder Vasu Nagendra co-hosted a webinar with Coalfire's Matt Getzelman on what requirement 9.9 means for merchants. Matt discussed what the requirement means from a QSA perspective and Vasu shared his expertise on what a "good" inspection is and other considerations.

With time running out to plan for and implement policies and procedures around this new section of the DSS, interest was very high. We had over 120 attendees across all merchant types, as well as organizations who support merchants.

In additon to some great questions and discussion, Edward Smith from the University of Pennsylvania was our lucky winner of the Kindle Fire giveaway.

Here's what some of the attendees had to say about the session:

  • I found the webinar VERY informative. I did not know the level of detail needed for 9.9. I was very surprised.
  • Very informative. I'm so glad I joined.
  • Great and practical information. Slides were well organized. The speakers were prepared and knowledgeable
  • Good explanation. I'll be interested in sharing the slides and recording with others.

If you weren't able to attend, you can access the recording of the webinar, along with the slide deck, by completing the form below.

PCI DSS 3.1, Requirement 9.9 Changes

PCI DSS just released 3.1. As an organization that is focused on 9.9 specifically, we thought we'd provide you, our customers and prospects, some guidance around changes and what we believe to be the rationale.

You can grab the summary of changes on the PCI Website, and a copy of the standard v3.1 here.

Please keep in mind, we are only covering the 9.9 section changes here, and not anything else. As always, your assessor may have a different opinion than what is presented here. Here is our perspective.

So what exactly are the changes?

The changes specifically state the following:

Updated testing procedure to clarify both devices and device locations need to be observed.

What does this mean?

In general any testing procedures apply during assessment phase. So imagine your assessor is sitting in front of you, they would be asking you the following question:

"You have 1000 stores. Can we take a sample of this, this, and this other store. I'd like to see a list of devices currently in these stores, and how, when, and by whom have they been Inspected in the past year."

What is the rationale?

Your assessor is looking for the following information, which makes sense (in our minds anyway):

  1. Sample of Devices to make sure that the Device Information is correct:

    • Do we know the current status of this particular device?
    • What do we know about the history of the device?
    • Do we know where it is and where it has been?

  2. Sample of Locations to make sure that Location Information is correct:

    • What do we think the number of devices are in this location?
    • Does our thinking match reality?
    • How did we come up with an Inspection Period for this location in the first place?

The point of this exercise to reconcile the two facts together to get to the following conclusion (in the assessor's mind):

"If we think that this location x has 10 devices and can positively verify that the number is exactly 10; no-more, no-less...

and

If we think that each device that is in this location is supposed-to-be Inspected on a daily basis and can validate that...

then

We are reasonably certain that all locations are following almost exactly the same process."

If you are a math geek like me you might even call this Proof by Induction.

Customers that are using SpotSkim are covered. This clarification doesn't add anything new to what the solution provided already. As always we continue to make improvements to make your process more consistent, faster, and cheaper. If you are a customer and are worried about what these changes mean to you - please feel free to reach out to us using the Support section of the portal.

If you are not a customer and are interested in learning more about SpotSkim, you can contact us here.

Header image by Nana B Agyei, used under CC 2.0

What Is Requirement 9.9 Actually Asking A Merchant To Do? Part 1

In order to assist merchants that have to meet this requirement, several independent organizations have already published white papers, most of which are available on our resources page. However, over the last week or two, the conversations I’ve had with customers and others have indicated that a little more clarification would be helpful.

So, today's post starts a series that dives deeper into 9.9, its sub-requirements, and the nuances of the mandate. Our founder, Vasu, will be jumping in as well to help make this as clear as possible. 

Here we go:

9.9 = PHYSICAL SECURITY OF DEVICES

Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

So what does “direct physical interaction” mean? In the payments world, that would be all the devices used for “card present” transactions. These devices definitely include the standard payment terminals (customer facing or not), kiosks, self-checkout lanes, etc.

Now, how do we go about protecting these devices? According to the requirement, it's by creating an inventory of the devices (9.9.1), physically inspecting them (9.9.2), and empowering staff with training (9.9.3). 

But I’ll get to that in a second. I want to pause here to mention that within this requirement is the mandate for completely new organizational policy, procedure, and process. It’s worth stating again - since this was never required before, the creation and implementation of new policies, trainings, and in-store process is necessary. Thus the extra six months.

9.9.1 = INVENTORY

Maintain an up-to-date list of devices. The list should include the following:
  • Make, model of device. 
  • Location of device (for example, the address of the site or facility where the device is located).
  • Device serial number or other method of unique identification.

There are several tracking mechanisms that can be used including many of the device management tools to maintain this inventory.

Keep in mind though; inventory needs to aid inspection. As an example, if we had a tool that was taking only a logical inventory of all the devices and it wasn’t verifiable physically, it would be pretty pointless when it comes to this requirement.

So it doesn’t matter what tool you choose, make sure that your inventory is physically verifiable. 

This makes sense as you think about it. The logical component is ensuring protection of card data by tying something about the payment device to something in your environment (like a serial number, a digital signature of the payment terminal, etc.). A human, during the inspection process, needs to be able to walk around and ensure that what the computer “thinks” it’s tracking is the same thing that is actually, physically there. 

In Part II and Part III we will talk about how to tie this logical inventory to a physically verifiable activity and the considerations that go with it. Stay tuned.

Be sure not to miss a post by subscribing to get the blog delivered directly to your inbox.

Start Here - A Primer on PCI DSS 9.9

While the hot news around the PCI DSS recently has been the declaration that SSL is dead and speculation on what DSS 3.1 will look like, another major change in the standard is swiftly approaching. As of July 1, 2015, the PCI DSS requirement 9.9, which covers the physical security of "Point of Interaction" (POI) devices, moves from a best practice to an enforceable requirement.

If you haven't started planning for it yet, there is no time like the present. And to help you get a better understanding of the requirement, we bring you another expert resource, compliments of HALOCK Security Labs.

This white paper, called Complying with PCI-DSS Requirement 9.9 - A QSA's Perspective, is a look at the why, what, and how of this portion of the DSS.

While a smaller subset of the overall standard, this new addition can translate into a large effort.

As noted in the opening of the white paper, "Organizations are now expected to train personnel to look for suspicious activity with all physical devices. This is a major change, as previous versions of the DSS did not require any point of interaction inspections whatsoever." Organizational policy and behavioral change is always difficult, but with the right tools, it can be manageable.

Get your planning started by downloading the white paper and talk to your QSA (HALOCK can be reached here) about what compliance with 9.9 means for your organization today.

INFOGRAPHIC - Skimming Update

Here at Termtegrity, we are passionate about skimming. Borderline obessed even. So when we looked at the data we had gathered over the past 13 months on skimming incidents, both here in the US and abroad, we thought it made for some pretty interesting statistics.

We compiled this data from all the publicly available news reports we've tracked over the last year and created the infographic below.

What it shows reinforces the statment that the PCI Security Standards Council made by adding requirement 9.9 to the Data Security Standard version 3.0, that skimming is a relevant fraud tactic that merchants should be protecting themselves against.

If you have any questions about the infographic or want to learn more about how our SpotSkim tool is helping merchants protect themselves and comply with requirement 9.9 contact us here or connect with us on Twitter at @Termtegrity.

Skimming Infographic

New resource: Sysnet's view of what 9.9 means for merchants

As we draw closer to July 1, 2015 - the date PCI DSS requirement 9.9 moves from a best practice to an enforceable requirement - industry experts continue to weigh in with their perspective on what the new portion of the standard will mean for merchants.

One of our first partners, Sysnet Global Solutions, who specialize in PCI DSS compliance validation and merchant intelligence solutions, have been leaders in thinking and talking about what 9.9 means.

Their new white paper "PCI DSS v3.0: A closer look at Requirement 9.9 - Payment Terminal Protection" author Jason McWhirr, CISSP takes a look at just what the requirement is asking and what you'll need to do to comply.

The main focus of the piece is to spell out exactly what is needed to comply, which he breaks into the following catagories:

1) Inventory – Know what you have, and who is responsible
2) Risk – Know how exposed your payment devices are
3) Train – Know what to look for and who to report to
4) Inspect – Checking the terminals
5) Evidence – Maintain a record of inspections, findings, and incidents

At the end of the paper, he presents a useful list of companies and tools that could help a merchant with compliance (of which our SpotSkim is one). You can download the paper here.

If you haven't started planning for the requirement yet, now is the time. Contact us today to see how SpotSkim makes it as easy as possible to comply with PCI DSS requirement 9.9.

I’m Dreaming of a White(paper) Christmas

Christmas came a little bit early this year. Last Friday, our friends over at Coalfire published an excellent whitepaper titled “Complying with PCI-DSS Requirement 9.9 - A Qualified Security Assessor’s Perspective” that is a thought provoking and practical look at the implications the requirement will have on merchants.

If you're not aware of it yet, requirement 9 covers physical security of the point-of-sale (POS) terminals in a merchant environment. Requirement 9.9 is brand new and deals explicitly with the prevention of POS device tampering or substitution.

Collectively called “skimming,” these attacks are on the rise and can be easy to miss until it’s too late. But not if you have a good process and procedures in place for regularly, consistently inspecting your devices.

So between sips of eggnog and the “It’s a Wonderful Life” reruns (or my personal favorite – “A Christmas Story”) take a few minutes to read this short paper. – you can get it here.

When the deadline for complying with PCI DSS version 3.0 and all its changes hits on July 1, 2015, you’ll be glad you started thinking about it now.

And from all of us here at Termtegrity, have a safe and joyful holiday season!