Blog — Termtegrity SpotSkim | PCI DSS Requirement 9.9 Solution

Vasu Nagendra

Easy €3.2 Million! Who doesn't want that?

Yesterday's incredible story from France! A card skimming gang stole 3M euros using ghost PoS terminals.

In my mind here are the highlights of the story:

  • The POS Terminals that were ghosted were in public
  • Certainly the POS Terminals were not working, which makes it slightly interesting
  • What's incredible about this is that (at least according to the story) it's just 12 humans - that's it! So, the average rate of return per human involved in the crime (assuming it took 6 months of effort)
    • 12 humans, 6 months, $3MM (nice round numbers, for the sake of simplicity)
    • $250,000 in 6 months!
    • Calculating it out for a regular salaried job; $500K/year
    • Oh, did I mention, this is net, it's unlikely they were paying taxes on it
    • So assuming regular US W2 income, that's well over $750K/year

I know what you are thinking, "Let's do EMV." Mind you EMV has been in Europe for close to a decade. This is not an EMV problem, let's not go there.

The point of the analysis: * Incredibly lucrative business! Who wouldn't want to get in on that action?

  • Let's not please ignore the fact that these guys all ended up in prison in the end!
  • So big bold disclaimer, if it wasn't incredibly obvious...
    This is illegal, don't try it! We don't encourage/endorse this.

However taking a page from one of my favorite books Freakonomics; there is a tremendous incentive for someone committing this crime. Put this in a Freakonomics perspective...

A drug dealer boss in Chicago makes about $250K. They need to endure constant threats to their lives from rival gangs and fend off people from their organization trying to climb up the ladder.

I highly doubt that the scenario exists here.

Inherently, I believe POS/ATM skimming crimes are easy. Yes there is sophistication with the recent 3D printers and such, but in the end, there is a huge advantage for the attacker...

Information Asymmetry

In normal life, this plays out every time you visit a mechanic. Consider going in for an oil change. You leave your car there, and wait in the "waiting room". The mechanic looks at the car, comes back and says "you need to replace your water pump and your timing belt/chain. It is in pretty bad shape, you really need to do it today." Unless you happen to be an expert mechanic, you have two disadvantages...

  • You really need to get out of there, so you need the car back
  • You have no way of validating the mechanic's claims.

Typically you overcome this disadvantage with a second opinion. Same applies there, but you get my point...

In the context of skimmers this plays out with consumers.

  • A consumer walking up to an ATM has absolutely no way of knowing if there is a skimmer on it at all.
  • Same for taxicabs which apparently were targeted as part of this attack and discount stores. That's unbelievable!

What can you do about it as an organization?

Sorry to say, there is no easy button. You have to get into the habit of inspecting your terminals regularly!
We have a product that can make this process easy. You can think about reducing the costs of your inspection by making it easy, reducing the expertise required etc., but...at the end of the day, you still have to do it.

PCI DSS addressed this exact responsibility in the form of requirement 9.9. If you don't know what that requirement is, or have questions, feel free to contact us. If you are unclear about the requirement, our friends at Coalfire are doing a webinar (in which I will be participating and presenting some of this information). Register for it here.

What can you do about this as a consumer?

Not much really at this point. You can be thankful for where you live. I know of many folks in different countries who have lost their entire life savings to a skimming attack. That's because banks in those countries are not responsible for the loss there! If you live in US and Europe, luckily for you the bank will eventually refund your money.

Header image photo credit to aranjuez1404 used under CC 2.0.

PCI DSS 3.1, Requirement 9.9 Changes

PCI DSS just released 3.1. As an organization that is focused on 9.9 specifically, we thought we'd provide you, our customers and prospects, some guidance around changes and what we believe to be the rationale.

You can grab the summary of changes on the PCI Website, and a copy of the standard v3.1 here.

Please keep in mind, we are only covering the 9.9 section changes here, and not anything else. As always, your assessor may have a different opinion than what is presented here. Here is our perspective.

So what exactly are the changes?

The changes specifically state the following:

Updated testing procedure to clarify both devices and device locations need to be observed.

What does this mean?

In general any testing procedures apply during assessment phase. So imagine your assessor is sitting in front of you, they would be asking you the following question:

"You have 1000 stores. Can we take a sample of this, this, and this other store. I'd like to see a list of devices currently in these stores, and how, when, and by whom have they been Inspected in the past year."

What is the rationale?

Your assessor is looking for the following information, which makes sense (in our minds anyway):

  1. Sample of Devices to make sure that the Device Information is correct:

    • Do we know the current status of this particular device?
    • What do we know about the history of the device?
    • Do we know where it is and where it has been?

  2. Sample of Locations to make sure that Location Information is correct:

    • What do we think the number of devices are in this location?
    • Does our thinking match reality?
    • How did we come up with an Inspection Period for this location in the first place?

The point of this exercise to reconcile the two facts together to get to the following conclusion (in the assessor's mind):

"If we think that this location x has 10 devices and can positively verify that the number is exactly 10; no-more, no-less...

and

If we think that each device that is in this location is supposed-to-be Inspected on a daily basis and can validate that...

then

We are reasonably certain that all locations are following almost exactly the same process."

If you are a math geek like me you might even call this Proof by Induction.

Customers that are using SpotSkim are covered. This clarification doesn't add anything new to what the solution provided already. As always we continue to make improvements to make your process more consistent, faster, and cheaper. If you are a customer and are worried about what these changes mean to you - please feel free to reach out to us using the Support section of the portal.

If you are not a customer and are interested in learning more about SpotSkim, you can contact us here.

Header image by Nana B Agyei, used under CC 2.0

The Dark Knight Is Not Out There Fighting Skimmers

The Dark Knight Is Not Out There Fighting Skimmers

One of the biggest challenges we find when working with prospective users of our solution is getting them to actually commit to action to address their skimming risks.

They know skimming is a problem they face. It’s either happened to them or other companies in their industry. They read about it everyday.

It’s not hard to stop the majority of the attacks out there...

Those Who do not learn from the past...

Those Who do not learn from the past...

"Those who do not learn from the past are doomed to repeat it" or variations thereof is a profound and frequently cited quote. It's commonly attributed to Winston Churchill, but most authoritative sources attribute it originally to George Santayana in his work "Life of Reason, Reason in Common Sense."

Regardless of who the original author is, one of the reasons that it's so frequently cited is its applicability to so many situations. Even point of sale skimming, it turns out...

News - Distribution

News - Distribution

This week we’re back in Las Vegas attending Transact 14 powered by ETA. We’re exhibiting with our good friends from Sysnet GlobalSolutions, with whom we just announced a worldwide distribution partnership for SpotSkim. We know it’s important to get our product in the hands of as many merchants as we can, and this announcement means that many of them can now get SpotSkim through one of their trusted partners for compliance solutions. If you’re attending, please come by and see us in booth #1006...

Taking Stock

Taking Stock

It seems somewhat unnecessary right now to reinforce the fact that cardholder data compromises continue to harm businesses that accept payment cards. You can just open your favorite newspaper or news website.

This week, Verizon released their 2014 PCI Compliance Report. A companion piece to their essential Data Breach Investigation Report (DBIR), this report provides insight drawn from all of the PCI DSS assessments that they completed over the past year...

Know Your Enemy

Know Your Enemy

At many tourist sites, you will often see warnings to protect your valuables against pickpockets. Criminals know that visitors’ attention will be focused on the attraction they came to see and they will be less aware of their surroundings and their personal belongings. This makes them easier targets. Another common tactic used by street criminals is to intentionally distract a potential victim. The victim is “turned” by a loud noise, a spilled drink, or similar distraction, and they momentarily lose awareness of their personal belongings, making them an easier mark...