PCI Requirement 9.9 – Protecting PoS Devices from Skimming

Article PCI DSS
PCI Requirement 9.9


How to Implement a Program for Your Staff

In our last CampusGuard Alert, we mentioned that Ransomware was predicted to be one of the biggest cyber security risks of 2017. Another common threat appearing in many Top 10 lists is skimming.

Payment card skimming is a type of fraud in which criminals use a small device to steal cardholder information from a modified payment terminal. Skimmers are often cleverly disguised and attached to Point of Sale (PoS) devices, gas pumps, or ATMs. Self-checkout terminals in retail outlets have also become more popular targets. When a card is run through the hacked device, the skimmer captures the details from the card’s magnetic strip. The thieves can then use the stolen data to create counterfeit cards or make fraudulent purchases online.

Why is this type of fraud increasing? The cost to install a skimming device is low. A quick search on eBay reveals just how easy it is to order a skimming device – anyone can have one overnight for anywhere from $48 to $359 depending on how many card numbers they want to store, Bluetooth connectivity, size, etc. That small investment can in turn help criminals gain access to hundreds or thousands of payment card numbers. Average losses from skimming are estimated around $600 per card, with total losses ranging from a few thousand to millions of dollars per attack. Of course, these numbers do not include the other indirect costs associated with any cardholder information breach, such as customer notification costs, fines, and reputational damage.

You may be wondering, “Don’t the new EMV chips prevent this type of fraud?” Yes, EMV chips do help defend against the use of fraudulent cards in an in-person situation but the stolen card number can still be used for online purchases. Because the adoption rate of EMV cards and rollout of compatible devices is still a work in progress, many payment cards are still vulnerable. If you are considering new devices for any of your merchant areas, you will want to make sure those used for in-person payments are equipped with EMV technology.

So, what can your organization do to prevent skimming now? The PCI DSS outlines very specific procedures for protecting against skimming attacks in Requirement 9.9. Although your general information security training may briefly discuss attack methods like skimming, you should create a specific program around Requirement 9.9 for any department or merchant accepting in-person transactions. Whether the PoS devices are standalone terminals or connected to your network, there is the potential risk for criminals to tamper with them or substitute the devices with manipulated equipment. Even if you have recently implemented P2PE devices, Requirement 9.9 is one of the few requirements you still need to meet.

When constructing your organization’s program, the following steps must be included:

  1. Maintaining an inventory of devices
    Designate a person or persons from your PCI Team to be in charge of the PoS inventory list and ensure it is maintained and updated on an ongoing basis. This list should track devices from the moment they are unpacked and deployed. The inventory must include (at a minimum):

    1. Make and model number
    2. Location of device
    3. Serial number or other unique identifier
  2. Periodically inspecting devices for potential tampering/substitution
    Create clearly defined and documented procedures on how to inspect PoS devices. Staff should be able to easily compare the serial number on the device with the serial number listed on the inventory list. They should also look the device over and check for any unusual gaps or signs of prying attempts. Have them also verify that there are no extra cables attached. Many organizations will actually have a picture of the original device so employees can quickly compare the device’s current appearance with the picture to see if anything has changed. Manufacturers will often use tamper evident screws and/or stickers, so any attempts to open the outer casing of devices is apparent. Notice that the requirement states “periodically” and does not provide a specific timeline for when these inspections should take place. Each organization or merchant can determine the frequency of inspections based on risk level. You will want to take into account where the device is located (i.e. is there public access?), activity level, and whether or not the device is unattended when you make that decision. CampusGuard generally recommends that you build the inspection into your daily procedures and have staff do the tamper checking before the first transaction of the day. Having employees do a quick once over of each terminal will take just a minute or two, and is well worth the potential fraud that can be prevented. As part of your incident response plan, verify that all staff know how and where to report any suspected tampering or substitution.
  3. Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
    Require that all maintenance personnel check in upon arrival, and train all onsite personnel to verify their identity and purpose of visit. This is an important step as multiple organizations have suffered breaches after criminals, appearing to be authorized maintenance crews, were provided physical access to devices. Criminals have also been successful by simply sending fraudulent devices to a location with instructions to install and deploy them. Make sure your staff know the policy and procedures for issuing and installing PoS devices so only approved devices are deployed.

Do you have processes and procedures in place for meeting Requirement 9.9?

If you haven’t already, feel free to reach out to your CampusGuard CRM Team to review your program for completeness. We recommend including interviews with random personnel to test their awareness of the procedures and requirements for checking devices as part of your annual risk assessment.

The PCI Council has also created an excellent guidance document with photo examples of skimming equipment that you may want to review as you build your training program.

Below is some additional commentary from our Security Advisor Team:

[Burt]: Although skimming appears in many Top 10 lists as a common threat, it can almost always be prevented by following daily procedures and using a little common sense. The majority of these attacks occur due to merchants/employees not paying attention to detail. It’s one thing to have procedures created for maintaining accurate/current device inventories, periodically inspecting devices for tampering/substitution and verifying the identity of third-party individual’s claiming to be maintenance personnel. It’s another to actually implement and adhere to them. The majority of cardholder data breaches we hear about occur within PCI compliant organizations that let their guard down by not following “business as usual” policies and procedures. Criminals are extremely smart, efficient and patient when it comes to stealing cardholder data. They do their homework (e.g. research organizations and individuals that are not paying attention to detail).

On a lighter note, from a consumer perspective when making payment card purchases at an ATM, gas station pump or even your favorite local super store, take a quick grab/pull on the devices before entering your card. The skimming devices used may look legitimate, but they are rarely securely attached due to time constraints when installing. So, why not take a quick check, I know I often do.”


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.