Jeff Schorr
Working Smarter
Working Smarter

PCI DSS 9.9

Coalfire Affirms SpotSkim

Coalfire Systems, Inc., a leading, independent cybersecurity and risk management firm, recently published a perspective white paper entitled "SpotSkim as a PCI DSS Requirement 9.9 Compliance Tool" which affirms SpotSkim as a solution that will help reduce effort and increase an organization's ability to fully comply with PCI DSS requirement 9.9.

In their evaluation, they found that "(m)aintaining security and compliance becomes simpler with the use of SpotSkim" and that "SpotSkim can alleviate a large portion of the burden of inspection" for organizations.

The full white paper can be downloaded here.

SpotSkim is the only automated point-of-sale device inspection tool available today. It allows anyone in your organization to inspect any device in a simple, effective, and consistent manner. Simultaneously, it allows a management of the process with greater certainty, clarity, and ease.

You can learn more about PCI DSS requirement 9.9 on our resources page.

If you're ready to see how SpotSkim could make compliance with the physical inspection requirements of the PCI DSS simple and cost-effective, contact us today!

What can Goldilocks teach us about inspections?

You remember the tale of Goldilocks, don't you?

A young girl, Goldilocks, is skipping along her merry way and stumbles upon a house in the woods. She knocks, gets no answer, and decides to check out what's inside.

While sneaking about, our cute little trespasser heads into the kitchen and finds some porridge waiting. Wouldn't you know it, with all that skipping in the woods Goldilocks worked up an appetite.

She tries the first bowl, but it's too hot. Well, on to the second bowl. It turns out to be too cold. Undeterred, Goldilocks tries the third bowl - just right!

The story goes through a few iterations of this process with chairs (too big - too small - just right!) and beds (too hard - too soft - just right!), as well. The bears return, find her, and she makes it out through the nearest window and off into the night.

The lesson
What does this have to with credit card terminal inspection?

The lesson to learn is about balance.

Physical inspection of credit card terminals is a task that is time consuming. If we spend too much time, it's waste of resources (too hot!). But if we spent to little time, we expose our organization to undue risk (too cold!). The ideal scenario would be to find the point at which the level of effort is equal to the risk of attack (just right!).

How to find the right mix
To find this sweet spot where risk and effort are balanced, we need to address the following:

  1. Assess the risk of attack
  2. Select an inspection period that correlates to that risk
  3. Inspect only the assets that are appropriate

Assessing risk
Since skimming, tampering, and substitution are all physical acts, they are by their very nature geographical. Therefore, it would be reasonable to assume that devices that are close together (within the same store for example) would all have a similar risks.

This is what the PCI SCC suggests in the "Skimming Prevention: Best Practices for Merchants". Appendix A of the document is an assessment of location risk which provides a high, medium, or low risk rating based on a number of questions about the location.

This assessment should be done at each of our locations (different geography, potentially different risk). While this may seem like a huge investment of time initially, it will pay off in the end by ensuring we aren't over (or under) inspecting.

Selecting an inspection period
Once we have an idea of the risk at our locations, how do we figure out what the right period is for that risk?

Both Coalfire Systems and HALOCK Security Labs, each in their own white paper on the requirement (each available here), provide the guidance that appropriate inspection periods are:

Risk Frequency
High Daily
Medium Weekly
Low Monthly

There have been customers I've spoken to who decided to inspect at every shift change based on their risk. This is mostly in the fuel sector, which is a major skimming target. Of course, the flexibility to adjust as makes sense is built into the requirement.

Selecting the right asset
While we are conducting inspections it would make no sense to inspect everything all the time. Just as important as risk, is determining what the current state of usage of the thing that is being inspected. I'll take a deep dive into this idea next week.

Updating risk
One final word on assessment and risk - at least once each year the location risk should be reviewed and updated if anything has changed that would effect the risk rating.

By taking the time to thoughtfully assess our risk and take appropriate action based on that assessment, we save time, effort, and money, while ensuring the appropriate level of security throughout our organization.

Not too hot, and not too cold, but just right.

Who should be doing your inspections?

When talking to potential customers about PCI DSS requirement 9.9, one of the areas I consistently hear merchants struggle with is the question of who should actually be doing these inspections.

Usually, the suggestion will be made that their security staff, or maybe the manager at each retail location, should inspect. At first glance both seem like good options. However, the security team is small (relative to the larger organization) and their time is extraordinarily valuable. Location managers already have a huge daily task list and like the security experts, their time is expensive.

So who is the right person?
The right person is the one that is standing in front of the device day in and day out (or that services it, if it's an unattended terminal). The associate, or cashier, or clerk, or attendant, or whatever name the role holds in your organization.

Why?
There are several reasons:

  • Availability - There is likely somewhere close to a 1:1 ratio (or one-to-a-few) of these employees to the devices that need inspected
  • Awareness - These employees are the most likely to know what the device looks like (they work with it the most) and notice if something looks funny
  • Cost - It's pretty likely that their time is much less expensive than your security team or the managers

But wait, they don't have any security experience. Maybe they are only seasonal workers. Maybe, they are forgetful and can't remember to inspect. All valid points. And all completely don't matter with the right tools.

Leverage technology
Have you seen the stats for YouTube recently? They are HUGE.

Three hundred hours of video are uploaded per minute. One billion total users on the platform. Four billion video views per day. Six billion hours of video watched per month.

Not too long ago (YouTube has been around for 10 years this year), video production and distribution were closed to the average person. You needed expensive, professional grade equipment and years of experience to produce and edit even a short live video. Fast-forward to today; all the tools you need to create a video are cheap (or free) and distribution is as easy as uploading the file to YouTube for the world to see.

Technology and information availability have forever changed the nature of the video business, making it simple and available to everyone.

Why does that matter for device inspection?
The state of technology today allows us to make information readily available and at the same time control the process.

Our SpotSkim solution, as an example, combines an app that guides and validates the inspection process with a web portal for management of the entire device environment as well as reporting.

This makes it possible for consistent, effective inspections to take place no matter who is inspecting.

Why Is Physical Inspection Important?

Skimmers in France make off with €3.2 million.

The Florida Department of Agriculture finds 103 skimmers on gas pumps throughout the state.

Every day more banks and ATM networks (in the US and abroad) are reporting skimmers found on their machines.

On June 30 (less than a week from when this is being written), the Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 moves from a best practice to a full component of the standard. This new requirement mandates the periodic physical inspection of all credit card devices (points-of-interaction in PCI speak) in a merchant's environment, with the intent to help merchants combat skimming.

For those who have to deal with this change, you may be wondering, "Isn't the EMV rollout scheduled for the fall going to solve the problem?"

Undoubtedly, EMV (also called "chip-and-pin" or "chip-and-signature" cards) is a more secure technology than the plain magnetic stripe cards. Unfortunately, even if all the merchants or financial institutions will be ready for the deadline in October (which signs are indicating they won't be), France has been 100% EMV for ten years. And one of the biggest skimming thefts so far this year happened less than three months ago there.

What EMV won't protect from is the wholesale swapping out of card terminals for "ghost terminals" like in France. Ghost terminals are devices that look real, but only capture user card data for skimmers when a card is swiped or dipped. However, good physical inspection practices on the devices will. If the taxi drivers or convenience store clerks would have had to validate the devices they were using actually were the ones that were supposed to be there, this scheme would have been stopped right away.

Gas pump skimmers are very similar. While security cameras are great at helping track down perpetrators, someone has to be watching at just the right time to catch the thieves in the act. However, if there were regular, consistent inspections of each pump, where a staff member physically checks that the device is free from tampering (serialized, anti-tampering stickers and tape help considerably here) guards against any malicious manipulation of your terminals/pumps/readers and helps to readily expose skimming devices.

And what about ATMs? The devices being used are understated and made to look like a normal piece of the ATM. Yet, regular physical inspection with the proper reference images (where the ATM is in a state free from tampering or substitution) makes it possible to distinguish even the subtlest changes to the ATM physical appearance.

The fact of the matter is that skimming is an activity that on the rise. It's relatively easy and low risk for the thieves. Devices are cheap and simple to install.

The solution is clear. The only reliable way to combat this activity is by physically inspecting your devices, which is what PCI DSS 9.9 is mandating.

Are you ready to start inspecting?

We've built a tool, SpotSkim, specifically to make credit card device inspections effective, manageable, and reportable - whether you have one device or one hundred thousand. Using SpotSkim will help you ensure that you're compliant with PCI DSS requirement 9.9 and the inspections you're doing are actually protecting your assets.

To learn more, click here or contact us today.

The banner image above was taken by Mighty Travels and is being used under CC 2.0.

In Case You Missed The Webinar

Last week, our founder Vasu Nagendra co-hosted a webinar with Coalfire's Matt Getzelman on what requirement 9.9 means for merchants. Matt discussed what the requirement means from a QSA perspective and Vasu shared his expertise on what a "good" inspection is and other considerations.

With time running out to plan for and implement policies and procedures around this new section of the DSS, interest was very high. We had over 120 attendees across all merchant types, as well as organizations who support merchants.

In additon to some great questions and discussion, Edward Smith from the University of Pennsylvania was our lucky winner of the Kindle Fire giveaway.

Here's what some of the attendees had to say about the session:

  • I found the webinar VERY informative. I did not know the level of detail needed for 9.9. I was very surprised.
  • Very informative. I'm so glad I joined.
  • Great and practical information. Slides were well organized. The speakers were prepared and knowledgeable
  • Good explanation. I'll be interested in sharing the slides and recording with others.

If you weren't able to attend, you can access the recording of the webinar, along with the slide deck, by completing the form below.

What Is Requirement 9.9 Actually Asking A Merchant To Do? Part 3

Remember that old adage about "teaching a person to fish?" That's pretty much what the third and final subsection of the new PCI DSS requirement 9.9 covers.

The 9.9.3 requirement states:

Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. granting them access to modify or troubleshoot devices.
  • Do not install replace or return devices without verification.
  • Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
  • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

There are a few things here to consider.

  • In order to provide training to employees, a formal policy is needed
  • The formal policy isn't just written down, but is also disseminated to all the relevant employees; in this case, the front line employees
  • Perhaps bundling this in your store's Standard Operating Procedure is a great way to start

When thinking about creating policy and training, they will need to cover scenarios such as:

  • Will you ask front line employees to check the ID of the human who shows up to work on a device or ask them to call a manager?
  • How does the manager know whether or not the person is supposed to be there?
  • What does "suspicious behavior" mean?
  • What is the mechanism for employees to report this suspicious behavior?
  • What are the review and actions based on these reported incidents?
  • Who is responsible, and accountable for them?

For this requirement, just ensuring your security staff is aware is not enough. In order for it to be effective, each person that works in a location where customers can swipe their credit cards needs to have read and acknowledged this policy and be trained on how to implement it. For this, there are several alternatives:

  • If you already have a training program in place around PCI compliance and a procedure for updating the content, creating and adding a section on requirement 9.9 should suffice.
  • There are organizations like our partner LiquidNexxus that are PCI certified trainers who also can create custom training for your organization.
  • In SpotSkim, we've added both policy and training into the app. This allows for easy dissemination of information and tracking as the employee reviews and acknowledges both the policy and training.

Once you have created and rolled out the policy and training, the testing procedure for your QSA is to review the training and ensure it includes everything stated in the requirement. Once they validate the training, the QSA will select a sample of employees to interview to ensure they understand the policy and procedures found in the training.

Tracking and being able to report on when employees were presented with the policy and training will make this process much easier.

If you'd like to hear more about the requirement or have questions, Coalfire is hosting a webinar on April 28, 2015 at 2pm Eastern to review requirement 9.9 and answer attendee inquires. You can register for the session here.

Header image photo credit to Colynn used under CC 2.0.

What Is Requirement 9.9 Actually Asking A Merchant To Do? Part 2

Last week, I posted the first in a three part series on the new PCI DSS 3.0, requirement 9.9. This addition to the DSS 3.0 is a best practice until June 30, 2015, after which it becomes enforceable for compliance.

Today's post is all about the second sub-requirement, 9.9.2, which covers device inspection.

In several product demonstrations I’ve done recently, the customers have remarked something similar to:

“Boy, that sounds like a lot of work. Do we actually have to inspect every device?”

The answer to that question is an emphatic yes. The best way to ensure no tampering is happening is by having a human look at each device to confirm:

1) It is in your inventory
2) It is in the location where you expect it to be
3) It is free of any signs of tampering

Here's what the actual requirement states:

9.9.2 = INSPECTION

Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

The word “periodically” here can be read as “regular” and “consistent.” This is because if the devices aren’t being inspected on a set schedule, in the same way each time, inconsistencies across these checks could cause important signs of tampering to be missed.

Now, how to figure out what is the correct period of the inspections?
The SSC has provided a nice resource to help you figure out at exactly what frequency you should be inspecting your devices in the "Skimming Prevention: Best Practices for Merchants" document. Appendix A, starting on page 30, is a questionnaire that will assist in assessing the risk (high/medium/low) of a particular location which then corresponds with a timeframe.

Coalfire's "Complying with PCI-DSS Requirement 9.9" white paper provides a baseline recommendation on what a high/medium/low risk should translate into in terms of frequency. Their recommendations are daily for a high risk location, weekly for a medium risk, and monthly for a low risk.

Your particular location or business type may call for tweaking this reccomendation - for example, some gas merchants might choose to inspect at each shift change (their business type is a well known target for skimming). At the end of the day, you'll have to justify your choice of frequency to your QSA.

Then how do you make each inspection consistent?
There are two ways. The first is by utilizing highly skilled, security-focused employees who know exactly what to look for and how to go about inspecting devices.

The second is to create a template for inspection (an example is provided in Appendix B of the Skimming Prevention document) that walks the inspector through each step and highlights what they need to look for. This allows anyone in your organization to perform the inspections at any time. If data is collected in the right way around each inspection, then everything is available for that highly skilled security employee to review, if necessary.

So what about the actual inspection?
First, you'll want to check the device's unique identifier to confirm what you're looking at is the asset you think it is.

Once this is confirmed, next is checking for any tampering.

There are different places on each device type that are points of attack. For example, on a gas pump you would want to check the card swipe/dip, the receipt door, maintenance door, and PIN pad. Or if using a system like a Clover or Ziosk, which utilize encrypting readers, the only point of attack - thus the only point needing inspection - is the card swipe. On your particular set of assets, it is important to identify and inspect these areas of that are weak against attacks, as well as generally looking at the entire devices for any scratches, holes, peeled stickers or other signs of someone messing with the asset.

Inspecting the environment near the device is important as well.
Reviewing the area around the asset, looking for signs that remote cameras have been installed and/or if there are unexpected charity boxes or merchandising that could be hiding bluetooth skimmers will further ensure the safety and security of your devices.

Recording the data around inspections.
Finally, whether you choose to use a log book, excel spreadsheet, or other tool, you'll want to collect and recording the inspection data and results of each inspection. At a minimum you should be recording:

  • Who inspected the device
  • The location of the inspection
  • The date and time
  • Confirmation of the asset's unique identifier
  • Answers to inspection questions
  • Comments on any inconsistencies or concerns

Ultimately, you want to be able to provide all of this data to your QSA to prove your compliance and be able to track down the source of an incident, if one ever occurs.

Next week, I'm going to cover the final piece of the requirement, 9.9.3 which covers policy and training around the inventory and inspections.

Header image by nolifebeforecoffee, used under CC 2.0

What Is Requirement 9.9 Actually Asking A Merchant To Do? Part 1

In order to assist merchants that have to meet this requirement, several independent organizations have already published white papers, most of which are available on our resources page. However, over the last week or two, the conversations I’ve had with customers and others have indicated that a little more clarification would be helpful.

So, today's post starts a series that dives deeper into 9.9, its sub-requirements, and the nuances of the mandate. Our founder, Vasu, will be jumping in as well to help make this as clear as possible. 

Here we go:

9.9 = PHYSICAL SECURITY OF DEVICES

Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

So what does “direct physical interaction” mean? In the payments world, that would be all the devices used for “card present” transactions. These devices definitely include the standard payment terminals (customer facing or not), kiosks, self-checkout lanes, etc.

Now, how do we go about protecting these devices? According to the requirement, it's by creating an inventory of the devices (9.9.1), physically inspecting them (9.9.2), and empowering staff with training (9.9.3). 

But I’ll get to that in a second. I want to pause here to mention that within this requirement is the mandate for completely new organizational policy, procedure, and process. It’s worth stating again - since this was never required before, the creation and implementation of new policies, trainings, and in-store process is necessary. Thus the extra six months.

9.9.1 = INVENTORY

Maintain an up-to-date list of devices. The list should include the following:
  • Make, model of device. 
  • Location of device (for example, the address of the site or facility where the device is located).
  • Device serial number or other method of unique identification.

There are several tracking mechanisms that can be used including many of the device management tools to maintain this inventory.

Keep in mind though; inventory needs to aid inspection. As an example, if we had a tool that was taking only a logical inventory of all the devices and it wasn’t verifiable physically, it would be pretty pointless when it comes to this requirement.

So it doesn’t matter what tool you choose, make sure that your inventory is physically verifiable. 

This makes sense as you think about it. The logical component is ensuring protection of card data by tying something about the payment device to something in your environment (like a serial number, a digital signature of the payment terminal, etc.). A human, during the inspection process, needs to be able to walk around and ensure that what the computer “thinks” it’s tracking is the same thing that is actually, physically there. 

In Part II and Part III we will talk about how to tie this logical inventory to a physically verifiable activity and the considerations that go with it. Stay tuned.

Be sure not to miss a post by subscribing to get the blog delivered directly to your inbox.

Start Here - A Primer on PCI DSS 9.9

While the hot news around the PCI DSS recently has been the declaration that SSL is dead and speculation on what DSS 3.1 will look like, another major change in the standard is swiftly approaching. As of July 1, 2015, the PCI DSS requirement 9.9, which covers the physical security of "Point of Interaction" (POI) devices, moves from a best practice to an enforceable requirement.

If you haven't started planning for it yet, there is no time like the present. And to help you get a better understanding of the requirement, we bring you another expert resource, compliments of HALOCK Security Labs.

This white paper, called Complying with PCI-DSS Requirement 9.9 - A QSA's Perspective, is a look at the why, what, and how of this portion of the DSS.

While a smaller subset of the overall standard, this new addition can translate into a large effort.

As noted in the opening of the white paper, "Organizations are now expected to train personnel to look for suspicious activity with all physical devices. This is a major change, as previous versions of the DSS did not require any point of interaction inspections whatsoever." Organizational policy and behavioral change is always difficult, but with the right tools, it can be manageable.

Get your planning started by downloading the white paper and talk to your QSA (HALOCK can be reached here) about what compliance with 9.9 means for your organization today.

INFOGRAPHIC - Skimming Update

Here at Termtegrity, we are passionate about skimming. Borderline obessed even. So when we looked at the data we had gathered over the past 13 months on skimming incidents, both here in the US and abroad, we thought it made for some pretty interesting statistics.

We compiled this data from all the publicly available news reports we've tracked over the last year and created the infographic below.

What it shows reinforces the statment that the PCI Security Standards Council made by adding requirement 9.9 to the Data Security Standard version 3.0, that skimming is a relevant fraud tactic that merchants should be protecting themselves against.

If you have any questions about the infographic or want to learn more about how our SpotSkim tool is helping merchants protect themselves and comply with requirement 9.9 contact us here or connect with us on Twitter at @Termtegrity.

Skimming Infographic