I often get asked what the likelihood is of a skimming device being installed, or a payment device being tampered with to compromise customer card data.
Straight out of the Qualified Security Assessor (QSA) playbook, my first response is always “it depends.”
Contactless payments are becoming increasingly prevalent, with the use of mobile payment wallets often means that people do not carry physical payment cards anymore. According to Mastercard, more than two thirds of its in-person global card payments are now completed via contactless methods.
As contactless payments operate through near field communications (NFCs), a physical interaction with the payment card is not required. Specifically with mobile payment wallets, the card data is tokenised and not actually shared during the transaction. When the physical card is presented during a contactless transaction, the embedded EMV chip encrypts the card data and generates a unique code for the transaction, without sharing the card details.
When attackers target payment devices
During a recent client engagement, I was informed of a series of incidents across multiple site locations, whereby attackers deliberately attempted to prevent the customer from making contactless payments.
Through deliberately damaging the contactless readers on self-service ticket vending machines (TVMs), the customer would then be forced to physically insert their card and enter their PIN. It is understood that in one of the incidents, a skimming device was observed inside the card slot of the TVM.
A damaged contactless card reader.
Detecting and responding to tampering
Self-service payment devices such as TVMs are typically unstaffed and rely upon a combination of layered security controls (administrative, physical, and technical) to determine whether any attempts of tampering and/or substitution have been made by an attacker.
Indicators of compromise could include customers reporting difficulties inserting their payment card into the device, or higher than normal transaction failure rates; either of which could be caused by the presence of a skimming device in the card slot itself.
Additionally, checks should not solely focus on the card slot and contactless reader but should also look for signs of tampering to the PIN entry key digits of the device and/or for the presence of pin hole cameras.
Why routine checks still matter
In the case of our client’s recent finding, it was the routine checks and balances for anti-tampering that detected this incident, with the resulting incident response reporting leading to knowledge sharing with peer organisations.
With the current focus on the prevalence of attacks against ecommerce payment channels within the PCI community, it is important to acknowledge that attackers can still target cardholder present payment channels.
One of the greatest hurdles most organisations face is for the staff at the coal face of business operations to rationalise why anti-tamper checks are required. Information is not widely shared when attacks occur and there is often the fear of reputational damage to the organisation if details are made public, and ultimately how the incident could impact share prices.
How often should devices be checked
Anti-tamper device checks are a mandatory requirement within point-to-point encryption (P2PE) instruction manuals (PIMs), where terms such as ‘periodic’, are used for the frequency that device checks must be completed. Initially this terminology could be interpreted as being quite loose, and somewhat like opening Pandora’s Box; however, the onus is actually on the entity to determine what quantifies as ‘reasonable and proportionate’ for that control frequency, based upon their own interpretation of potential risks.
Key considerations for defining control frequencies
When defining control frequencies within a risk assessment, existing security controls should be a key consideration how they can complement each other (i.e. layered security controls) - such as locks, alarms, lighting, CCTV, and guards etc. Once control frequencies are defined, it is crucial to be dynamic and pragmatic if making changes in response to threat warnings and suspected or confirmed incidents of compromise.
For example, after a suspected incident of tampering to one or more payment devices, device checks might temporarily be increased from weekly to daily; or from daily to once per shift. The frequency of checks might revert to the previous intervals once the entity is content the potential threat has decreased.
LRQA QSAs routinely find that organisations that align anti-tamper checks into business-as-usual processes are more effective and consistent in complying with PCI DSS Requirement 9.5 than those who implement standalone checks.
Final thoughts
In summary, anti-tamper checks are still relevant to all entities that accept in person (cardholder present) payment card transactions. Attackers are adaptive in developing their tactics, techniques and procedures; therefore, as a PCI community we must be as equally adaptive and dynamic in our response to the emerging threats and evolving capabilities of our adversaries. Ultimately, what is effective today is not guaranteed to be effective tomorrow.
Learn more about our range of PCI DSS services
