- Posted by:
On Feb. 1, 2017, 3:56 p.m.
PCI DSS requirement 9.9 - Card Reader (Point of Interaction - POI) Security - Guidance on this clearly ignored requirement
Since the 1st of July 2015 PCI DSS requirement 9.9 became a mandatory requirement for compliance. The requirement was added to the third revision of the DSS based on the global threat of Point-of-Interaction (POI) device tampering, substitution, and skimming.
A POI device is any device that comes into physical contact with a consumer’s card. This includes the following generic categories of devices:
Type of device
Credit Card Terminals
Substitution of devices, tampering by attaching wires to the devices
Publicly Accessible Kiosks
Overlay devices that look legitimate, especially due to advances in 3-D printing technologies and attaching skimmers inside the kiosk
Overlay skimming devices, attaching skimmers on the inside of the device through surgical holes drilled on fascia
While there are always spectacular exceptions, such as substituting ATMs, or 3-D printed credit card terminal faceplates, the current mandate of PCI is to enable a broad range of protections for common threats. Losses from this type of fraud continue to rise, yet are readily preventable through regular inspection of the devices. This section of the DSS requires three key activities
- Keep an updated inventory of devices (9.9.1)
- Physically inspect POI terminals regularly (9.9.2),
- Provide training to employees on secure handling of devices (9.9.3).
While organisations were given an additional 18 months to plan and implement procedures for compliance, Verizon’s 2015 PCI Compliance Report remarked that they “expect companies to struggle with some of the new sub controls under 9.9.”
To date from (February 2017) LiquidNexxus' understanding of the situation is as follows (we regularly speak to QSAs, Merchants, Acquiring Banks and Processors). Many organisations:
- either fail to meet the requirement,
- losely meet it by trying to take a checklist approach which is completely pointless or
- try and de-scope the requirement. Scoping gets quite tricky because, especially in the case of POS and ATM machines often the device is either owned or managed by different entities.
With the addition of requirement 9.9 to the DSS, the PCI Security Standards Council (SSC) is advocating that physical inspection is the best form of protection and prevention from tampering, substitution, and skimming attacks.
Regular, consistent inspection of devices, combined with an accurate inventory and frontline staff-training combine to create an effective defence. Below is an in depth look into the new requirement, its subsections, and topics for consideration.
PCI DSS 9.9 - PHYSICAL SECURITY OF DEVICES
- Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
“Direct physical interaction” encompasses all the devices used for “card present” transactions. These devices definitely include the standard payment terminals (customer facing or not), ATMs, kiosks, self-service machines, and any other devices with card readers.
9.9.1 - INVENTORY
Maintain an up-to-date list of devices. The list should include the following:
- Make, model of device.
- Location of device (for example, the address of the site or facility where the device is located).
- Device serial number or other method of unique identification.
There are several tracking mechanisms that can be used, including many of the device manufacturer’s management tools, to maintain this inventory.
Organisations should keep in mind that inventory needs to aid inspection. As an example, if a tool was taking only a logical inventory of all the devices and it wasn’t verifiable physically, it would be meaningless, as the physical inspectors would not be utilising that data. Choice of the tool doesn’t matter, as long as the inventory is physically verifiable.
The rational behind this is sound. The logical component of the devices is ensuring protection of card data by tying something about that payment device to something in the environment (like a serial number, a digital signature of the payment terminal, etc.). A person, during the inspection process, needs to be able to walk around and ensure that what the computer “thinks” it’s tracking is the same device that is actually, physically there.
9.9.2 - INSPECTION
Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
The word “periodically” can be understood as “regular” and “consistent.” If the devices are not being inspected on a set schedule, in the same way each time, inconsistencies across these checks could cause important signs of tampering to be missed.
Establishing the correct “period” for inspections
Typically an organisation should use this risk assessment in combination with its own risk assessment to determine the correct period of inspection. Keep in mind though, a risk assessment typically provides risk categories (High Risk, Medium Risk, etc.,). It is each organisations responsibility to organise, plan and implement inspection frequency based on a risk strategy.
Coalfire's "Complying with PCI-DSS Requirement 9.9" white paper provides a baseline recommendation on what a high/medium/low risk should translate into in terms of frequency. Their recommendations are daily for a high-risk location, weekly for a medium risk, and monthly for a low risk.
A particular location or business type may call for adjusting this recommendation - for example, some petrol organisations might choose to inspect at each shift change (their business type is a well known target for skimming). Or another example might be ATMs placed in high risk locations (high footfall retail locations, areas with higher crime rates, etc…). Regardless of the period selected, an organisation will have to justify how, when, why and how frequently inspections take place to their QSA.
Ensuring inspection consistency
When staff are involved in inspection, ensuring consistency between inspections is paramount, else likelihood of tampering not being detected increases. There are two paths to creating consistent inspections.
- The first: Utilising highly skilled, trained and security-focused employees who know exactly what to look for and how to go about inspecting devices. Training employees to inspect devices can be both expensive and time consuming, whilst ensuring consistency can be challenging at best.
- The second: Create a template for inspection (an example is provided in Appendix B of the Skimming Prevention document) that walks the inspector through each step and highlights what they need to look for. This allows anyone in your organisation to perform the inspections at any time. If data is collected in the right way around each inspection, then the highly trained security staff can focus on reviewing inspections, if necessary.
Performing physical inspections
- First, devices unique identifiers will need to be checked and recorded (either electronically or manually) to confirm the device being inspected is the right one.
- Once this is confirmed, next is checking for any tampering. Different device types will have different points of vulnerability to tampering. For example, an unattended petrol pump would require inspection of the card swipe/dip, the receipt door, maintenance door, and PIN pad. An ATM would require inspection of the card reader, PIN pad, and fascia of the device. In the case of POS mag stripe readers or chip compliant card readers (e.g., Mobile integrated card readers), the only point of attack - thus the only point needing inspection - is the device itself.
It is important to identify and inspect certain specific areas and characteristics that may have been tampered with, such as scratches, pin-holes, peeled stickers, glue residue or other signs of tampering, skimming, or substitution.
Inspecting the surrounding environment
Reviewing the area around the asset, looking for signs that remote cameras have been installed and/or if there are unexpected charity boxes or merchandising that could be hiding Bluetooth skimmers will further ensure the security of your devices.
Recording inspections data
Finally, whether an organisation chooses to use a logbook, excel spreadsheet, or other tool, the collection and recording of the inspection data and results of each inspection is critical. At a minimum, organisations should be recording:
- Who inspected the device
- The location of the inspection
- The date and time the inspection occurred
- Confirmation of the asset's unique identifier
- Answers to other device-specific inspection questions such as the environmental considerations and any other concerns
Ultimately, the assessor will be looking for this type of information to prove compliance with the requirement. This information is also very helpful in identifying the source and particular timeframe of an incident, if one ever occurs.
Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
- Do not install replace or return devices without verification.
- Be aware of suspicious behaviour around devices (for example, attempts by unknown persons to unplug or open devices).
- Report suspicious behaviour and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
This sub-requirement presents several points worthy of consideration
- In order to provide training to employees, a formal policy is needed
- The formal policy isn't just written down, but is also disseminated to all the relevant employees
- In this case, the front line employees
- Bundling this into Standard Operating Procedures is a great tactic to start
When an organisation is thinking about creating policy and training, each will need to cover scenarios such as:
- Will front line employees be asked to check the ID of the person who shows up to work on a device or should they call a manager?
- How does the manager know whether or not the maintenance person is supposed to be there? If he/she doesn’t know, who do they call to check?
- What does "suspicious behaviour" mean?
- What is the mechanism for employees to report this suspicious behaviour?
- What are the review and actions based on these reported incidents?
- Who is responsible, and accountable for them?
For this requirement, simply ensuring security staff is aware is not adequate. In order for the policies to be effective and compliant, each person tasked with inspection, or that works in a location where POS devices are used needs to have read and acknowledged this policy and be trained on how to implement it.
Organisations should also ensure that the policy is stated as implemented and not the other way around. It is one thing to have a policy, but during an assessment if the reality (evidence) does not match the policy, Assessors should not accept this requirement as compliant (as per all other PCI DSS requirements).
Recommendations to accomplish this sub-requirement, there are several alternatives:
If there is a pre-existing training program in place around PCI compliance and a procedure for updating the content, creating and adding a section on requirement 9.9 should suffice. However this requirement is a lot more specific in it's training requirements vs generic PCI awareness, special attention should be placed on ensuring a practical approach to training and also verifying that staff not only agree to terms but understand the actions and responsibilities they have in this regard.
There are tools that facilitate policy creation, implementation, inspection processes, training, audit trails and centralised reporting.
Once the policy and training have been created and rolled out, the testing procedure for a QSA is to review both and ensure they include everything stated in the requirement. Once they validate this to be the case, the QSA will select a sample of employees to interview to ensure they follow the policy and procedures found in the training.
Tracking and being able to report on when employees were presented with the policy and training will make this process much easier.
- As the size of an organisation or ATM network grows, the complexity and cost of device inspection rises in parallel.
- On average traditional or manual inspection could take up to five minutes
- Relying on employees, often subjective, Judgment may lead to inspection inconsistency.
- Keeping track of inspections across multiple locations, devices and maintaining a historical centralizedcentralised log is aan incredibly challenging task for organisations with thousands of devices and device types.
It is imperative for large organizationsorganisations to ensure that
- All their ATMs have an inspection period that is pre-determined and risk-based according to the overall risk strategy.
- Staff to conduct inspections are identified and are in place
Any increase in efficiency, whether it decreases the time it takes to inspect or makes data collection and management easier, creates a large cost savings.
Management oversight to ensuring the efficacy of each inspection is critical, as well. Having a view into what is happening while it happens and being able to ensure each inspection is being performed correctly allows the organizationorganisation to confirm the process is being followed and the actions taken are sufficient to ensure a solid defensedefence.
Just as criminals are taking advantage of new technology to lower the cost and increase their efficiency, so should retail and banking organizations.
For more information and/or guidance on complying with Requirement 9.9. please contact us.
LiquidNexxus Limited - Barkat House, 116-118 Finchley Road, London NW3 5HT, United Kingdom
London:+44 20 33229095
Sao Paulo:+55 3139560606
Mexico City:+52 8141707161
Share on LinkedIn
Share on Facebook