Jeff Schorr
Working Smarter
Working Smarter

blog

I’m Dreaming of a White(paper) Christmas

Christmas came a little bit early this year. Last Friday, our friends over at Coalfire published an excellent whitepaper titled “Complying with PCI-DSS Requirement 9.9 - A Qualified Security Assessor’s Perspective” that is a thought provoking and practical look at the implications the requirement will have on merchants.

If you're not aware of it yet, requirement 9 covers physical security of the point-of-sale (POS) terminals in a merchant environment. Requirement 9.9 is brand new and deals explicitly with the prevention of POS device tampering or substitution.

Collectively called “skimming,” these attacks are on the rise and can be easy to miss until it’s too late. But not if you have a good process and procedures in place for regularly, consistently inspecting your devices.

So between sips of eggnog and the “It’s a Wonderful Life” reruns (or my personal favorite – “A Christmas Story”) take a few minutes to read this short paper. – you can get it here.

When the deadline for complying with PCI DSS version 3.0 and all its changes hits on July 1, 2015, you’ll be glad you started thinking about it now.

And from all of us here at Termtegrity, have a safe and joyful holiday season! 

The Dark Knight Is Not Out There Fighting Skimmers

The Dark Knight Is Not Out There Fighting Skimmers

One of the biggest challenges we find when working with prospective users of our solution is getting them to actually commit to action to address their skimming risks.

They know skimming is a problem they face. It’s either happened to them or other companies in their industry. They read about it everyday.

It’s not hard to stop the majority of the attacks out there...

News - Distribution

News - Distribution

This week we’re back in Las Vegas attending Transact 14 powered by ETA. We’re exhibiting with our good friends from Sysnet GlobalSolutions, with whom we just announced a worldwide distribution partnership for SpotSkim. We know it’s important to get our product in the hands of as many merchants as we can, and this announcement means that many of them can now get SpotSkim through one of their trusted partners for compliance solutions. If you’re attending, please come by and see us in booth #1006...

Taking Stock

Taking Stock

It seems somewhat unnecessary right now to reinforce the fact that cardholder data compromises continue to harm businesses that accept payment cards. You can just open your favorite newspaper or news website.

This week, Verizon released their 2014 PCI Compliance Report. A companion piece to their essential Data Breach Investigation Report (DBIR), this report provides insight drawn from all of the PCI DSS assessments that they completed over the past year...

Know Your Enemy

Know Your Enemy

At many tourist sites, you will often see warnings to protect your valuables against pickpockets. Criminals know that visitors’ attention will be focused on the attraction they came to see and they will be less aware of their surroundings and their personal belongings. This makes them easier targets. Another common tactic used by street criminals is to intentionally distract a potential victim. The victim is “turned” by a loud noise, a spilled drink, or similar distraction, and they momentarily lose awareness of their personal belongings, making them an easier mark...

An Unwelcome Trend

Analyst firm Gartner Group is out with their “Top 10 Strategic Technology Trends for 2014.” One of these is 3D printing, and this is bad news for merchants who need to protect against skimming attacks at the Point of Sale.

If you are not familiar with 3D printing, it is the process of creating a 3D copy of an object from a model. The model can be created using a CAD program or generated from a 3D scan of the object to be reproduced. Gartner expects worldwide shipments of 3D printers to grow 75 percent in 2014 followed by a near doubling of unit shipments in 2015.

So what does this have to do with skimming? 3D printers can make it easier for criminals to create high quality replacement parts to hide skimming devices installed on a point of sale. They can match colors and shapes of the case or housing of a POS device with a great deal of precision. They can create new parts that look like they are part of the factory design.

Community and the sharing of models on sites like MakerBotThingiverse is a big part of the 3D printing revolution. Unfortunately, criminals are very good at sharing what works in their own underground communities, and will also be able to share models of parts that they have used successfully.

Bad actors almost always find uses for revolutionary new technologies. Thinking about how to mitigate new risks that result is essential. It’s going to be more important than ever to know what your POS looks like in a “known good” state. Fortunately, there’s a solution for that.

Inspiration

Inspiration

The team is back hard at work after the PCI SSC North American Community Meeting. At the meeting, there was plenty of discussion about new requirement 9.9 in PCI DSS 3.0 that requires point of sale devices to be inspected periodically for tampering. While this is a new requirement in DSS, there have been similar requirements in the P2PE Solution Requirements since their release last year.

But our main takeaway was inspiration...