The PCI DSS Requirement 9.9 outlines very specific procedures for protecting against skimming attacks. Although your general information security training may briefly discuss attack methods like skimming, you should create a specific program around Requirement 9.9 for any department or merchant accepting in-person transactions. Whether the point-of-sale (PoS) devices are standalone terminals or connected to your network, there is the potential risk for criminals to tamper with them or substitute the devices with criminally modified equipment. If you have recently implemented P2PE devices, Requirement 9.9 is one of the few requirements you still need to meet.
When constructing your organization’s program, the following steps must be included:
1. MAINTAIN DEVICE INVENTORY
Designate a person or persons from your PCI Team to be in charge of the payment card device inventory list, and ensure it is maintained and updated on an ongoing basis. This list should track devices from the moment they are unpacked and deployed. The inventory must include (at a minimum):
- Make and model number
- Location of device
- Serial number or other unique identifier
2. PERIODIC DEVICE INSPECTIONS
According to the PCI DSS, physical inspections of terminals must be conducted periodically. Create clearly defined and documented procedures as to how to inspect devices for potential tampering or substitution. Procedures should include when inspections should occur, who is responsible, features to check, how to document the inspection, etc. If you have implemented a PCI-listed P2PE solution, the vendor will provide what is called the P2PE Instruction Manual (PIM) that will outline the exact procedures merchants must follow for device inspections.
Notice that the requirement states “periodically” and does not provide a specific timeline for when these inspections should take place. Each organization or merchant can determine the frequency of inspections based on risk level. When you make that decision you will want to take into account where the device is located (i.e. is there public access?), activity level, and whether or not the device is unattended.
CampusGuard generally recommends that you build the inspection into your daily procedures and have staff do the tamper checking before the first transaction of the day. Having employees do a quick review of each terminal will take just a minute or two, and is well worth the potential breach that could be discovered.
3. CHECKING FOR SUBSTITUTION
Merchant staff must verify on a regular basis that the device inventory list is reconciled against the devices in use, as criminals may try to replace devices with tampered units. During the inspection, make sure to cross check identification numbers with your spreadsheet. Most devices will have a sticker attached to the bottom, which provides details of the product and generally include a serial number.
The majority of terminals will also have a method of displaying the serial number electronically. When powered on, the device serial number reported should match the serial number on the device itself. Verify that the serial number (or module number, part number, etc.) on the inventory list match with the devices currently in use.
It is also important that staff verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Require that visitors check in upon arrival, and train all onsite personnel to verify the visitor’s identity and purpose of visit. This is an important step as multiple organizations have suffered breaches after criminals, appearing to be authorized maintenance crews, were provided physical access to devices. Criminals have also been successful by simply sending fraudulent devices to a location with instructions to install and deploy them. Make sure your staff know the policy and procedures for issuing and installing payment card devices so only approved devices are deployed.
4. CHECKING FOR TAMPERING
Credit card skimming devices are designed to blend in seamlessly with the machine it’s placed on. Unless you are specifically looking for a skimming device, you may not notice anything out of the ordinary.
Train employees to look over the device thoroughly and check for any unusual gaps or signs of tampering. Many organizations will actually have a picture of the original device so employees can quickly compare the device’s current appearance with the picture to see if anything has changed. Manufacturers will often use tamper evident stickers, so any attempts to open the outer casing of devices is apparent. If a criminal has attempted to compromise a terminal, they may remove these stickers or replace them with their own printed versions.
Staff should also be aware of the use of overlays. An overlay, often created on a 3D printer, is a small piece of plastic that fits closely to the device and attempts to maintain the original look or hide evidence of tampering. The greatest risk posed by these overlays is their inclusion of an additional payment card reader that grabs a copy of the cardholder data for later use in fraudulent transactions.
Criminals can also insert electronic equipment into the terminal in order to capture cardholder data. This equipment, called a shimmer, can be very sophisticated, small, and difficult to identify. Often it is hidden inside the device so neither the merchant nor the cardholder can tell that the terminal has been compromised from the outside. When you insert your card into the chip slot, the reader reads the data from the chip on your card. There may be a difference in how the card now inserts. It is also possible to identify if a shimming device has been inserted by weighing the device and checking for any difference.
Employees should include the following in their tamper checking procedures:
- Is the device in its designated location?
- Is the color and condition of the device as expected, with no additional marks or scratches?
- Are parts of the card reader loose? Or does anything move or wiggle when pulled on?
- Are there any loose or missing screws?
- Are the manufacturer’s security seals and labels present with no signs of peeling or tampering?
- Is the number of connections to the device as expected, with the same type and color of cables?
- Is the pin pad thicker than normal?
- Are there any unauthorized electronic devices (phones, iPods, etc.) near the device?
- Inspect the ceiling area above the POS device for cameras.
5. INCIDENT RESPONSE
As part of your Incident Response Plan, verify that all staff know how and where to report any suspected tampering or substitution. If a skimming device is found, you should immediately stop using the payment card terminal and disconnect it from the network. Take pictures and document all evidence. Below are the questions you need to answer as you develop your incident response procedures.
- Do you remove the skimmer? What do you do with the skimmer?
- How do you continue handling payments (i.e. is there a backup device that can be accessed)? How will that impact your daily operations?
- Do you immediately check the other devices in that location and/or other locations?
- Who has had access to the area in which the payment card device is located? Who maintains the visitor log and who will review it?
- Does the location have cameras? If yes, how is it accessed and who will review it?
- Do you have the data to determine the timeframe for when the skimmer may have been implemented?
- Can you determine how many and which payment cards/customers may have been effected?
- Who should be immediately notified (IT Support, Senior Leadership, PCI Team, acquiring bank, card brands, etc.)? Do you have all of the necessary contact details?
Employees will need ongoing training and reminders so they continue to inspect devices thoroughly per policy, and help your organization prevent potential tampering or substitution of payment card devices. It is important that they do not get lax on this effort. If a skimming device is detected, the smaller the window between discovery and last clean inspection, the smaller the potential impact for compromised records.
Additional guidance from our Penetration Testing team:
[Sullivan]: With the advancement of 3D printing and criminals becoming more advanced in their methods, skimming is becoming more of an issue. There are proven criminal cases of skimmers being installed in as little as 3 seconds. Employee training, surveillance of payment systems and regular inspections will help keep your customers safe and help your employees to be more alert consumers when using payment cards in their daily lives.