It’s here. Starting today, the Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 is no longer a best practice.
This means any PCI DSS 3.0 or 3.1 Reports on Compliance (ROCs) or Self-Assessment Questionnaires (SAQs) versions B, B-IP, C, D, and P2PE-HW submitted today and moving forward will require that the 9.9 sub-controls be met.
When Verizon published its annual PCI Compliance report this year, they commented:
"...we expect companies to struggle with some of the new subcontrols under 9.9."
One such subcontrol is 9.9.2, which focuses on physical inspection of credit card devices to protect from tampering, substitution, and skimming.
It directs merchants to:
"Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device)."
I wrote last week about why inspection is an important, and effective, tool to fight this kind of attack.
But what makes for a "good" inspection? And by “good” I mean effective at detecting any potential skimming, tampering, or device substitution.
Just a quick glance at a device isn't going to get the job done. In order to be both effective and efficient, we want to collect the same data in the same way with each inspection to capture a snapshot of the device's state at that particular time.
Here is what is needed to enable a good inspection and what should be tracked:
Of course, the information about who performed the inspection and when the inspection was conducted are important data points to collect.
To ensure we're looking at the right machine, we'll need the device's information from our inventory (required in 9.9.1) including:
- Unique device ID
- Expected location
Reference and In-State Images
To ensure we know what the device is supposed to look like, we'll need pictures of the device where it has been verified as free from tampering (reference images) to which an inspector will compare the current state of the device. These should be images of the actual device being inspected and be readily available at the time of inspection.
Different types of devices, such as countertop terminals versus a kiosk machine, will have different points of attack. Pictures of these vulnerabilities are what we want to show in the reference images and then capture, each time we inspect, to validate there has not been any tampering or substitution of the devices.
As an example, the following would be the set of pictures we would want for a standard countertop terminal:
- Top of the entire device
- Bottom of the entire device
- Cables connecting the terminal to the register
- Cables coming out of the terminal
Each time an inspection is performed, the device’s current state should be compared to the reference images and then new pictures should be taken.
Of course there are other threats, such as remote cameras setup to capture PIN entry, that can't easily be identified with a picture of the device. So a survey of the area immediately surrounding the device should be taken and recorded as well.
The PCI Security Standards Council (SSC) has provided a set of examples questions for retail merchants in their Skimming Prevention: Best Practices for Merchants such as:
- Are all connections to the terminal as described, using the same type and color of cables, and with no loose wires or broken connectors?
- Is the condition of the ceiling above the terminal the same as described, with no additional marks, fingerprints, or holes?
- Where surveillance cameras are used, is the total number of cameras in use the same as the number of cameras officially installed?
In addition to simply performing the inspections, there's another level to managing the inspections and the process (retaining these records, reviewing potential problems, and reporting for your QSA or SAQ come assessment time) that I'll address in a future post.
Our SpotSkim solution was built from the ground up to help merchants simply and quickly tackle this requirement. You can contact us for more information or a demo to see how it could work for your organization.
I'll be continuing this series next week with an article discussing who are the right people to perform these inspections. And it's probably not who first comes to mind.