For those merchants that are taking payments using Point of Interaction (POI) devices (aka “terminals”) to process cards either in person or for mail orders/telephone orders, one of the most important requirements for protecting cardholder data is actually the physical security of those devices.
If devices are not secured, criminals may be able to gain unauthorized access to cardholder data by either stealing, manipulating, or swapping out the terminals with others that have malicious software installed. Attackers may also place skimming devices or components that capture the payment card information on the POI devices. If this occurs, the payment transaction still completes but the information is also sent to the hacker and can then be used to make fraudulent payments.
What we used to know as Requirement 9.9 has been renumbered to Requirement 9.5 in the latest PCI DSS version 4.0 (unfortunate for everyone that memorized the requirement numbers!).
Requirement 9.5.1 requires that POI devices are protected from tampering and unauthorized substitution. This process must include the following:
- Maintaining a list of POI devices.
- Periodically inspecting POI devices to look for tampering or unauthorized substitution.
- Training personnel to be aware of suspicious behavior, verifying the identity of personnel before granting access to devices, and to report tampering or unauthorized substitution of devices.
If you have not done so already, verify that your documented processes include procedures for inspecting devices. CampusGuard recommends that the overall PCI policy for the organization includes a high level requirement for recurring inspections. The department or merchant area procedure document can then detail the process for performing and documenting/tracking those inspections. Specifically, each individual area should also have procedures that train staff on how to perform the inspections, how often these should be conducted, what to look for, and where inspections are logged.
In order to successfully meet these requirements, we can start with Requirement 126.96.36.199 which mandates organizations have an up-to-date list of all POI devices that includes the make and model of the device, location of the device, and the device serial number or other unique identifier. Having a complete, up-to-date inventory of devices allows you to track where they are located and quickly identify if a device turns up missing. This device list should be kept current at all times. It is also a good idea to request that your merchants provide the PCI Team with an updated inventory at least annually during the Self-Assessment Questionnaire (SAQ) process. This list can be kept either on paper or electronically, and you may want to also include things like the person responsible for the device(s), connection type (IP, cellular, analog), version numbers, PTS expiration dates, etc. All of this data can be maintained in CampusGuard Central® or, if you prefer paper, ask your dedicated CRM for a copy of our device inventory template.
Requirement 188.8.131.52 outlines the methods to detect tampering and/or substitution. Train staff to look for any unexpected attachments or cables leading to or from the device, missing or changed security labels, broken casing, and verification of those unique ID/serial numbers. Some organizations will even take photos of the original devices so employees can quickly compare and identify any differences. Remember skimming devices can be very thin so paying attention to the width of the frame around the screen and other features is critical as well.
New to the DSS is Requirement 184.108.40.206.1 which clarifies that the frequency and the type of inspections that must be performed as documented as part of the organization’s targeted risk analysis process, which is fully defined as per Requirement 12.3.1.
For any requirement from the DSS, if there is flexibility for how often a task must be performed or if the requirement states “periodically”, organizations must now perform a targeted risk analysis that reviews the assets being protected, the possible risks/threats towards those assets, how likely the threat is, and any factors that may increase/decrease the likelihood. For device inspections, this risk analysis process should look at where the devices are located, if they are attended vs. unattended, how accessible they are to the public, how frequently they are used, etc. For merchants that are high traffic and have public access to POI devices, daily inspections are recommended (every morning before the first transaction is processed). For devices that are kept in a locked office where only authorized employees are trafficking, a weekly or monthly inspection may suffice. As always, merchants should also refer to vendor guidance, like the P2PE Instruction Manuals, for any specific device requirements around inspections.
Referring back to the merchant procedures, each merchant should have the frequency defined within their individual procedures so employees clearly understand when inspections should be performed.
Merchants should log device inspections and have that documentation available so assessors can verify the frequency aligns with defined procedures. If employees aren’t regularly inspecting the devices, a breached device could go months without being discovered, significantly increasing the number of impacted customers. Advise merchants to keep those inspection logs (either electronically or physically), but also provide them to the PCI Team on a regular basis so you can ensure they are occurring regularly. Merchants can upload the inspection logs to an internal site or to the CampusGuard Central Document Locker so all documentation can be easily searched and located as needed.
If staff are not documenting their inspections, if/when a breach is discovered, it will be much more difficult to know how long the device has been compromised and how far back an investigation into possibly compromised data should go. The ongoing documentation of inspections can also help prevent liability should a breach occur.
From a QSA perspective, when the team is performing a PCI Assessment or Report on Compliance, they are reviewing the merchant procedures and training, and verifying the frequency of logged inspections aligns with the requirements outlined within the procedures.
The final requirement, 220.127.116.11, outlines training requirements for staff. We have seen an uptick in criminals pretending to be from an authorized maintenance company and requesting access to the payment card devices. Employees should always verify the identity of repair personnel or technicians before providing access. If you were not expecting someone from your acquiring bank or vendor, don’t allow them near your devices. Training should also help employees understand how to identify suspicious behavior and how/when to report possible indications of tampering/substitution. Merchant procedures should clearly outline the incident reporting process, and your incident response plan should also define the steps that will be taken when a report is received. Conducting a tabletop exercise with selected merchant staff to walk through possible device breaches being discovered is a great way to ensure all individuals understand their roles and responsibilities.
Additional guidance from the CampusGuard Security Advisor team below:
[Gilmore]: Thieves don’t take breaks, unless of course they are enjoying a trip funded by the stolen card information from your card reader. Checking these devices is critical to successful credit card information security. The technology built into the devices to encrypt them is only as good as the merchant’s ability to get card data into it properly. Sometimes it is not ideal to take down the payment terminals every day after business is closed, but a counter action would be to check the devices at least daily if not several times a day. If card terminals can be put away you sacrifice the convenience of having them always available, with needing setup time when opening business.
A Risk analysis would have to be done (even if a quick one) to determine the steps needed to monitor card terminals optimally. Maybe cameras are needed in high traffic areas or areas where card terminals are installed in walk-up payment stations such as parking lots/structures. Also keep in mind that card terminals that have a PIN transaction security certification are built to shut down automatically if someone tries to break into it, but it does not stop a skimmer.