Jeff Schorr
Working Smarter
Working Smarter

Working Smarter

We here at SpotSkim HQ are big proponents of working smarter, not harder when it comes to protecting yourself and your customers from skimming attacks. Today, the NCAS has validated the SpotSkim approach to monitoring gas pumps and equipment by announcing their own app in partnership with Pinnacle Corporation. As we advocated last June in our blog post "Why is Physical Inspection Important?", they recommend daily inspection combined with tamper evident labels to safeguard pumps from skimming attacks.

While the SkimDefend app was just relased, SpotSkim has been helping merchants protect their credit card devices for over two years as well as making compliance for PCI DSS Requirement 9.9 simple since it became official last June (it becomes applicable to fuel merchants in 2017).

If you aren't inspecting yet, or not sure that your inspection process is actually working, be sure to check out your options for making this process easy and effective. You can try SpotSkim free for 30 days by signing up here - http://termtegrity.com/spotskim-sign-up

Skimming Update - Past 12 Months

The infographic below was presented recently at the Verifone Retail Payments Conference in Florida during the "PCI 9.9 & Device Management" session by our CEO, Vasu Nagendra, and Verifone's Chief Security Officer, Joe Majka.

This covers the last 12 months from publicly available sources, extrapolating totals where some data was missing from reports.

At the highest level, the data shows is that skimming continues to be a global problem with the United States leading the world in number of incidents.

Coalfire Affirms SpotSkim

Coalfire Systems, Inc., a leading, independent cybersecurity and risk management firm, recently published a perspective white paper entitled "SpotSkim as a PCI DSS Requirement 9.9 Compliance Tool" which affirms SpotSkim as a solution that will help reduce effort and increase an organization's ability to fully comply with PCI DSS requirement 9.9.

In their evaluation, they found that "(m)aintaining security and compliance becomes simpler with the use of SpotSkim" and that "SpotSkim can alleviate a large portion of the burden of inspection" for organizations.

The full white paper can be downloaded here.

SpotSkim is the only automated point-of-sale device inspection tool available today. It allows anyone in your organization to inspect any device in a simple, effective, and consistent manner. Simultaneously, it allows a management of the process with greater certainty, clarity, and ease.

You can learn more about PCI DSS requirement 9.9 on our resources page.

If you're ready to see how SpotSkim could make compliance with the physical inspection requirements of the PCI DSS simple and cost-effective, contact us today!

Device State and Status Matter for Inspections

We learn in science class matter is generally made up of three states - liquid, solid, and gas. Water, for example, can easily take each of those states in nature - rain, ice, clouds.

Today I want to talk about this concept of state, applied to credit card device inspection.

When thinking about inspecting point-of-sale devices and credit card terminals to comply with PCI DSS requirement 9.9, one major consideration is the state (defined as the particular condition that the device is in at a specific time) of the device.

The major states to keep in mind are:

  • In Use
  • Not In Use
  • Under Maintenance

In Use
A device can be considered "In Use" if it is available for consumers/cardholders to interact with. The vast percentage of our devices will be "In Use" the majority of their life cycle. Hopefully that's not a surprise. Unless you are a device manufacturer, why would we have a warehouse full of payment devices just sitting around?

Inspection Considerations
In Use devices should be inspected on the regular cadence established based on the location risk (as described here).

Not In Use
These are devices that are part of our inventory, but are not available to be used by customers. Devices can be "Not In Use" for a few different reasons:

  • The are in a central storage facility waiting to be shipped to stores
  • They are being kept as backup devices if any of the In Use devices fail in the store itself
  • They have broken or failed and are beyond repair

Inspection Considerations
Not In Use devices should be inspected before being put into use (for example, adding a new device from storage). This will validate that it is actually a device from our inventory and that no tampering has occurred while the device was in not in use.

They should also be inspected as they are being taken out of use (for example, swapping out a broken device or removing a checkout lane). This way we ensure no tampering has occurred before it's put into storage or document it's condition one final time before retiring the device.

This final inspection is especially important for devices that fall in the P2PE realm.

Under Maintenance
This state will range from the point where maintenance has been requested on a device until repairs are made or the device is removed (because it can't be repaired).

Knowing whether or not a device is Under Maintenance is an important consideration. In the past, fraudsters have impersonated maintenance staff to swap out good terminals for bad ones or attach skimming devices.

Two things can combat this tactic. First, training our front line staff to be curious and ask questions if someone claims to be maintaining devices. Second, having access to an easy mechanism by which a specific device can be quickly and immediately validated to be Under Maintenance. If validating a device requires a call to the HelpDesk, which requires someone walking half-way across the store, picking up a phone, authenticating themselves, and asking a human a question to which the human has to ... You get it, we've lost the battle. It just won't happen.

Inspection Considerations
Devices that are Under Maintenance should be inspected upon completion of the maintenance before being put back In Use. This will ensure that no tampering or substitution occurred during the repair.

Device Status
Going back to the example of physical matter, lets talk for a second about rain. Rain is water in a liquid physical state that is falling from the sky. If I see that the status of the weather outside is "it's raining," I'm going to grab an umbrella.

Similarly, we want to be aware of the device's status as it relates to compromise, so we can take appropriate action.

Most of the time, a device;s status will be normal - otherwise we have bigger problems! But, there may be a time when there is suspicion that a device has been tampered with, substituted, or has had a skimming device added. This leads to two different statuses we want to monitor:

  • Suspected Compromised
  • Confirmed Compromised

Suspected Compromise
If we have staff who are not security experts performing inspections (which I recommend, more here), allowing them to mark devices as "Suspected Compromised" during an inspection enables them to note any suspicious findings for our security experts to confirm or dismiss.

Usage Considerations
A device that is Suspected Compromised should be fully investigated as quickly as possible as we don't want our customers to be able to use a device that is actually compromised. We want to carefully consider this as we are writing corporate policy to ensure we cover whether or not suspect devices are removed from service and what an acceptable response time is to address these alerts.

Confirmed Compromised
If a security expert (or other staffer with the expertise to declare a device as compromised) has validated a suspected compromised alert, our fraud security plan should be immediately put into action.

Usage Considerations
Here, we'll want to rely on our organization's fraud security policy. Depending on these policies state, we may want to immediately remove the device from use, or potentially work with local and federal police to try an catch the fraudsters behind the tampering.

If there is no policy in place, Visa has a great resource on what to do if there is a compromise.

By using and tracking the above states and statuses on all of our devices as part of our inspections, we can be sure we're not over (or under) inspecting, which saves time, effort, and money for our organization.

What can Goldilocks teach us about inspections?

You remember the tale of Goldilocks, don't you?

A young girl, Goldilocks, is skipping along her merry way and stumbles upon a house in the woods. She knocks, gets no answer, and decides to check out what's inside.

While sneaking about, our cute little trespasser heads into the kitchen and finds some porridge waiting. Wouldn't you know it, with all that skipping in the woods Goldilocks worked up an appetite.

She tries the first bowl, but it's too hot. Well, on to the second bowl. It turns out to be too cold. Undeterred, Goldilocks tries the third bowl - just right!

The story goes through a few iterations of this process with chairs (too big - too small - just right!) and beds (too hard - too soft - just right!), as well. The bears return, find her, and she makes it out through the nearest window and off into the night.

The lesson
What does this have to with credit card terminal inspection?

The lesson to learn is about balance.

Physical inspection of credit card terminals is a task that is time consuming. If we spend too much time, it's waste of resources (too hot!). But if we spent to little time, we expose our organization to undue risk (too cold!). The ideal scenario would be to find the point at which the level of effort is equal to the risk of attack (just right!).

How to find the right mix
To find this sweet spot where risk and effort are balanced, we need to address the following:

  1. Assess the risk of attack
  2. Select an inspection period that correlates to that risk
  3. Inspect only the assets that are appropriate

Assessing risk
Since skimming, tampering, and substitution are all physical acts, they are by their very nature geographical. Therefore, it would be reasonable to assume that devices that are close together (within the same store for example) would all have a similar risks.

This is what the PCI SCC suggests in the "Skimming Prevention: Best Practices for Merchants". Appendix A of the document is an assessment of location risk which provides a high, medium, or low risk rating based on a number of questions about the location.

This assessment should be done at each of our locations (different geography, potentially different risk). While this may seem like a huge investment of time initially, it will pay off in the end by ensuring we aren't over (or under) inspecting.

Selecting an inspection period
Once we have an idea of the risk at our locations, how do we figure out what the right period is for that risk?

Both Coalfire Systems and HALOCK Security Labs, each in their own white paper on the requirement (each available here), provide the guidance that appropriate inspection periods are:

Risk Frequency
High Daily
Medium Weekly
Low Monthly

There have been customers I've spoken to who decided to inspect at every shift change based on their risk. This is mostly in the fuel sector, which is a major skimming target. Of course, the flexibility to adjust as makes sense is built into the requirement.

Selecting the right asset
While we are conducting inspections it would make no sense to inspect everything all the time. Just as important as risk, is determining what the current state of usage of the thing that is being inspected. I'll take a deep dive into this idea next week.

Updating risk
One final word on assessment and risk - at least once each year the location risk should be reviewed and updated if anything has changed that would effect the risk rating.

By taking the time to thoughtfully assess our risk and take appropriate action based on that assessment, we save time, effort, and money, while ensuring the appropriate level of security throughout our organization.

Not too hot, and not too cold, but just right.

Who should be doing your inspections?

When talking to potential customers about PCI DSS requirement 9.9, one of the areas I consistently hear merchants struggle with is the question of who should actually be doing these inspections.

Usually, the suggestion will be made that their security staff, or maybe the manager at each retail location, should inspect. At first glance both seem like good options. However, the security team is small (relative to the larger organization) and their time is extraordinarily valuable. Location managers already have a huge daily task list and like the security experts, their time is expensive.

So who is the right person?
The right person is the one that is standing in front of the device day in and day out (or that services it, if it's an unattended terminal). The associate, or cashier, or clerk, or attendant, or whatever name the role holds in your organization.

Why?
There are several reasons:

  • Availability - There is likely somewhere close to a 1:1 ratio (or one-to-a-few) of these employees to the devices that need inspected
  • Awareness - These employees are the most likely to know what the device looks like (they work with it the most) and notice if something looks funny
  • Cost - It's pretty likely that their time is much less expensive than your security team or the managers

But wait, they don't have any security experience. Maybe they are only seasonal workers. Maybe, they are forgetful and can't remember to inspect. All valid points. And all completely don't matter with the right tools.

Leverage technology
Have you seen the stats for YouTube recently? They are HUGE.

Three hundred hours of video are uploaded per minute. One billion total users on the platform. Four billion video views per day. Six billion hours of video watched per month.

Not too long ago (YouTube has been around for 10 years this year), video production and distribution were closed to the average person. You needed expensive, professional grade equipment and years of experience to produce and edit even a short live video. Fast-forward to today; all the tools you need to create a video are cheap (or free) and distribution is as easy as uploading the file to YouTube for the world to see.

Technology and information availability have forever changed the nature of the video business, making it simple and available to everyone.

Why does that matter for device inspection?
The state of technology today allows us to make information readily available and at the same time control the process.

Our SpotSkim solution, as an example, combines an app that guides and validates the inspection process with a web portal for management of the entire device environment as well as reporting.

This makes it possible for consistent, effective inspections to take place no matter who is inspecting.

Time's up (plus - what makes a "good" inspection?)

It’s here. Starting today, the Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 is no longer a best practice.

This means any PCI DSS 3.0 or 3.1 Reports on Compliance (ROCs) or Self-Assessment Questionnaires (SAQs) versions B, B-IP, C, D, and P2PE-HW submitted today and moving forward will require that the 9.9 sub-controls be met.

When Verizon published its annual PCI Compliance report this year, they commented:

"...we expect companies to struggle with some of the new subcontrols under 9.9."

One such subcontrol is 9.9.2, which focuses on physical inspection of credit card devices to protect from tampering, substitution, and skimming.

It directs merchants to:

"Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device)."

I wrote last week about why inspection is an important, and effective, tool to fight this kind of attack.

But what makes for a "good" inspection? And by “good” I mean effective at detecting any potential skimming, tampering, or device substitution.

Just a quick glance at a device isn't going to get the job done. In order to be both effective and efficient, we want to collect the same data in the same way with each inspection to capture a snapshot of the device's state at that particular time.

Here is what is needed to enable a good inspection and what should be tracked:

Inspection Meta-Data
Of course, the information about who performed the inspection and when the inspection was conducted are important data points to collect.

Device Information
To ensure we're looking at the right machine, we'll need the device's information from our inventory (required in 9.9.1) including:

  • Unique device ID
  • Make
  • Model
  • Expected location

Reference and In-State Images
To ensure we know what the device is supposed to look like, we'll need pictures of the device where it has been verified as free from tampering (reference images) to which an inspector will compare the current state of the device. These should be images of the actual device being inspected and be readily available at the time of inspection.

Different types of devices, such as countertop terminals versus a kiosk machine, will have different points of attack. Pictures of these vulnerabilities are what we want to show in the reference images and then capture, each time we inspect, to validate there has not been any tampering or substitution of the devices.

As an example, the following would be the set of pictures we would want for a standard countertop terminal:

  • Top of the entire device
  • Bottom of the entire device
  • Cables connecting the terminal to the register
  • Cables coming out of the terminal

Each time an inspection is performed, the device’s current state should be compared to the reference images and then new pictures should be taken.

Device Surroundings
Of course there are other threats, such as remote cameras setup to capture PIN entry, that can't easily be identified with a picture of the device. So a survey of the area immediately surrounding the device should be taken and recorded as well.

The PCI Security Standards Council (SSC) has provided a set of examples questions for retail merchants in their Skimming Prevention: Best Practices for Merchants such as:

  • Are all connections to the terminal as described, using the same type and color of cables, and with no loose wires or broken connectors?
  • Is the condition of the ceiling above the terminal the same as described, with no additional marks, fingerprints, or holes?
  • Where surveillance cameras are used, is the total number of cameras in use the same as the number of cameras officially installed?

In addition to simply performing the inspections, there's another level to managing the inspections and the process (retaining these records, reviewing potential problems, and reporting for your QSA or SAQ come assessment time) that I'll address in a future post.

Our SpotSkim solution was built from the ground up to help merchants simply and quickly tackle this requirement. You can contact us for more information or a demo to see how it could work for your organization.

I'll be continuing this series next week with an article discussing who are the right people to perform these inspections. And it's probably not who first comes to mind.

Why Is Physical Inspection Important?

Skimmers in France make off with €3.2 million.

The Florida Department of Agriculture finds 103 skimmers on gas pumps throughout the state.

Every day more banks and ATM networks (in the US and abroad) are reporting skimmers found on their machines.

On June 30 (less than a week from when this is being written), the Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 moves from a best practice to a full component of the standard. This new requirement mandates the periodic physical inspection of all credit card devices (points-of-interaction in PCI speak) in a merchant's environment, with the intent to help merchants combat skimming.

For those who have to deal with this change, you may be wondering, "Isn't the EMV rollout scheduled for the fall going to solve the problem?"

Undoubtedly, EMV (also called "chip-and-pin" or "chip-and-signature" cards) is a more secure technology than the plain magnetic stripe cards. Unfortunately, even if all the merchants or financial institutions will be ready for the deadline in October (which signs are indicating they won't be), France has been 100% EMV for ten years. And one of the biggest skimming thefts so far this year happened less than three months ago there.

What EMV won't protect from is the wholesale swapping out of card terminals for "ghost terminals" like in France. Ghost terminals are devices that look real, but only capture user card data for skimmers when a card is swiped or dipped. However, good physical inspection practices on the devices will. If the taxi drivers or convenience store clerks would have had to validate the devices they were using actually were the ones that were supposed to be there, this scheme would have been stopped right away.

Gas pump skimmers are very similar. While security cameras are great at helping track down perpetrators, someone has to be watching at just the right time to catch the thieves in the act. However, if there were regular, consistent inspections of each pump, where a staff member physically checks that the device is free from tampering (serialized, anti-tampering stickers and tape help considerably here) guards against any malicious manipulation of your terminals/pumps/readers and helps to readily expose skimming devices.

And what about ATMs? The devices being used are understated and made to look like a normal piece of the ATM. Yet, regular physical inspection with the proper reference images (where the ATM is in a state free from tampering or substitution) makes it possible to distinguish even the subtlest changes to the ATM physical appearance.

The fact of the matter is that skimming is an activity that on the rise. It's relatively easy and low risk for the thieves. Devices are cheap and simple to install.

The solution is clear. The only reliable way to combat this activity is by physically inspecting your devices, which is what PCI DSS 9.9 is mandating.

Are you ready to start inspecting?

We've built a tool, SpotSkim, specifically to make credit card device inspections effective, manageable, and reportable - whether you have one device or one hundred thousand. Using SpotSkim will help you ensure that you're compliant with PCI DSS requirement 9.9 and the inspections you're doing are actually protecting your assets.

To learn more, click here or contact us today.

The banner image above was taken by Mighty Travels and is being used under CC 2.0.

In Case You Missed The Webinar

Last week, our founder Vasu Nagendra co-hosted a webinar with Coalfire's Matt Getzelman on what requirement 9.9 means for merchants. Matt discussed what the requirement means from a QSA perspective and Vasu shared his expertise on what a "good" inspection is and other considerations.

With time running out to plan for and implement policies and procedures around this new section of the DSS, interest was very high. We had over 120 attendees across all merchant types, as well as organizations who support merchants.

In additon to some great questions and discussion, Edward Smith from the University of Pennsylvania was our lucky winner of the Kindle Fire giveaway.

Here's what some of the attendees had to say about the session:

  • I found the webinar VERY informative. I did not know the level of detail needed for 9.9. I was very surprised.
  • Very informative. I'm so glad I joined.
  • Great and practical information. Slides were well organized. The speakers were prepared and knowledgeable
  • Good explanation. I'll be interested in sharing the slides and recording with others.

If you weren't able to attend, you can access the recording of the webinar, along with the slide deck, by completing the form below.

Easy €3.2 Million! Who doesn't want that?

Yesterday's incredible story from France! A card skimming gang stole 3M euros using ghost PoS terminals.

In my mind here are the highlights of the story:

  • The POS Terminals that were ghosted were in public
  • Certainly the POS Terminals were not working, which makes it slightly interesting
  • What's incredible about this is that (at least according to the story) it's just 12 humans - that's it! So, the average rate of return per human involved in the crime (assuming it took 6 months of effort)
    • 12 humans, 6 months, $3MM (nice round numbers, for the sake of simplicity)
    • $250,000 in 6 months!
    • Calculating it out for a regular salaried job; $500K/year
    • Oh, did I mention, this is net, it's unlikely they were paying taxes on it
    • So assuming regular US W2 income, that's well over $750K/year

I know what you are thinking, "Let's do EMV." Mind you EMV has been in Europe for close to a decade. This is not an EMV problem, let's not go there.

The point of the analysis: * Incredibly lucrative business! Who wouldn't want to get in on that action?

  • Let's not please ignore the fact that these guys all ended up in prison in the end!
  • So big bold disclaimer, if it wasn't incredibly obvious...
    This is illegal, don't try it! We don't encourage/endorse this.

However taking a page from one of my favorite books Freakonomics; there is a tremendous incentive for someone committing this crime. Put this in a Freakonomics perspective...

A drug dealer boss in Chicago makes about $250K. They need to endure constant threats to their lives from rival gangs and fend off people from their organization trying to climb up the ladder.

I highly doubt that the scenario exists here.

Inherently, I believe POS/ATM skimming crimes are easy. Yes there is sophistication with the recent 3D printers and such, but in the end, there is a huge advantage for the attacker...

Information Asymmetry

In normal life, this plays out every time you visit a mechanic. Consider going in for an oil change. You leave your car there, and wait in the "waiting room". The mechanic looks at the car, comes back and says "you need to replace your water pump and your timing belt/chain. It is in pretty bad shape, you really need to do it today." Unless you happen to be an expert mechanic, you have two disadvantages...

  • You really need to get out of there, so you need the car back
  • You have no way of validating the mechanic's claims.

Typically you overcome this disadvantage with a second opinion. Same applies there, but you get my point...

In the context of skimmers this plays out with consumers.

  • A consumer walking up to an ATM has absolutely no way of knowing if there is a skimmer on it at all.
  • Same for taxicabs which apparently were targeted as part of this attack and discount stores. That's unbelievable!

What can you do about it as an organization?

Sorry to say, there is no easy button. You have to get into the habit of inspecting your terminals regularly!
We have a product that can make this process easy. You can think about reducing the costs of your inspection by making it easy, reducing the expertise required etc., but...at the end of the day, you still have to do it.

PCI DSS addressed this exact responsibility in the form of requirement 9.9. If you don't know what that requirement is, or have questions, feel free to contact us. If you are unclear about the requirement, our friends at Coalfire are doing a webinar (in which I will be participating and presenting some of this information). Register for it here.

What can you do about this as a consumer?

Not much really at this point. You can be thankful for where you live. I know of many folks in different countries who have lost their entire life savings to a skimming attack. That's because banks in those countries are not responsible for the loss there! If you live in US and Europe, luckily for you the bank will eventually refund your money.

Header image photo credit to aranjuez1404 used under CC 2.0.