Jeff Schorr
Working Smarter
Working Smarter

Inspecting

Who should be doing your inspections?

When talking to potential customers about PCI DSS requirement 9.9, one of the areas I consistently hear merchants struggle with is the question of who should actually be doing these inspections.

Usually, the suggestion will be made that their security staff, or maybe the manager at each retail location, should inspect. At first glance both seem like good options. However, the security team is small (relative to the larger organization) and their time is extraordinarily valuable. Location managers already have a huge daily task list and like the security experts, their time is expensive.

So who is the right person?
The right person is the one that is standing in front of the device day in and day out (or that services it, if it's an unattended terminal). The associate, or cashier, or clerk, or attendant, or whatever name the role holds in your organization.

Why?
There are several reasons:

  • Availability - There is likely somewhere close to a 1:1 ratio (or one-to-a-few) of these employees to the devices that need inspected
  • Awareness - These employees are the most likely to know what the device looks like (they work with it the most) and notice if something looks funny
  • Cost - It's pretty likely that their time is much less expensive than your security team or the managers

But wait, they don't have any security experience. Maybe they are only seasonal workers. Maybe, they are forgetful and can't remember to inspect. All valid points. And all completely don't matter with the right tools.

Leverage technology
Have you seen the stats for YouTube recently? They are HUGE.

Three hundred hours of video are uploaded per minute. One billion total users on the platform. Four billion video views per day. Six billion hours of video watched per month.

Not too long ago (YouTube has been around for 10 years this year), video production and distribution were closed to the average person. You needed expensive, professional grade equipment and years of experience to produce and edit even a short live video. Fast-forward to today; all the tools you need to create a video are cheap (or free) and distribution is as easy as uploading the file to YouTube for the world to see.

Technology and information availability have forever changed the nature of the video business, making it simple and available to everyone.

Why does that matter for device inspection?
The state of technology today allows us to make information readily available and at the same time control the process.

Our SpotSkim solution, as an example, combines an app that guides and validates the inspection process with a web portal for management of the entire device environment as well as reporting.

This makes it possible for consistent, effective inspections to take place no matter who is inspecting.