The best practices introduced in the PCI DSS v3 (6.5.10, 8.5.1, 9.9, 11.3, and 12.9) become mandatory requirements on July 1, 2015. One of the most formidable new requirements, especially for retailers with a large number of point of sale systems accepting card present transactions, will be Requirement 9.9. There are three basic goals of Requirement 9.9: maintain a list of devices, periodically inspect devices to look for tampering or substitution, and train personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices. Let’s take a quick look at what merchants will need to do and what the QSA will be reviewing.
Maintain a List of Devices
Asset management can be an incredibly difficult and time consuming effort, so don’t underestimate the time it takes to build this list and maintain it over time. The asset inventory should capture the make and model of device, the location of device, and the device serial number or other method of unique identification. You may be able to collect much of this information electronically through management consoles depending on the age and model of your PIN Pad. If you aren’t sure, it’s at least worth asking your PIN Pad manufacturer or acquirer if this is possible due to the potential time savings. Otherwise, you will need to collect data manually, store by store, register by register. During the PCI assessment, the QSA will use this list to select a sample to validate that the inventory is accurate. They will also need to determine the processes in place to ensure that the list is updated when devices are added, relocated, or decommissioned.
Periodically Inspect Devices
Now that you know what devices you have, you’ll need to develop procedures to inspect device surfaces to detect tampering or substitution. Consider scenarios such as card skimmers being placed in line with the swipe, unknown cables that don’t go to the POS or power, cracked cases, torn security tape, etc. Similar to the inventory stage, your PIN Pad may require specific initialization steps if being moved or replaced or it may trigger alert codes to communicate that physical tampering has taken place. These messages can be leveraged as part of the inventory process and provide rapid notification that something is wrong. Some PIN Pads will actually destroy the encryption keys being used as part of an end-to-end encryption architecture and not allow additional transactions if physical tampering occurs. This would prevent unencrypted cardholder data from entering your environment. The QSA is responsible for reviewing the processes, interviewing persons involved in the inspection (which could include store operations teams as well as store employees), and describing how the process ensures that all devices are inspected for tampering or substitution.
Distribute communication to all staff who are involved or trained to accept card payments that describes the common ways that tampering occurs on POS and PIN Pads. You could include pictures of what the terminals should look like or even images of devices used for tampering. Also, make sure to include company procedures for all of the 9.9.3 items (you may need to write a few new ones):
- Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
- Understanding to not install, replace, or return devices without verification.
- Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
- Reporting all suspicious behavior to appropriate personnel (for example, a manager or security officer).
- Reporting tampering or substitution of devices.
The QSA will need to review these training materials as well as identify a sample of personnel at point of sale locations to interview to verify they have received training. This should follow a similar process as previous retail location visits. There actually is not a specific requirement (as in 12.6) to show formal documentation of training completion. However, you want your assessor to be comfortable with your processes and not to increase the sample size if they find inconsistencies in the interview answers, so tracking completion internally should be considered a good practice.
Managing remote devices at retail locations can be more difficult than securing a server in the data center. The physical environment is more difficult to secure, as evidenced by many breaches over the years using skimmers or devices attached to the PIN Pads. Don’t forget to ask your PIN Pad vendors for security procedures that they may already have documented. By assuring that the cardholder data entry points are reasonably protected and monitored, you can identify potential security issues more effectively. The above activities will both improve your overall payment card security situational awareness and help ensure that you meet compliance with Requirement 9.9.