Itâs 11 p.m.; do you know where your payment devices are? Merchants should be tracking all of them at all times, as those devices can be swapped out by cybercriminals to steal customer data. Joe Majka, Vice President & Chief Security Officer at Verifone, shares his thoughts on the importance and methodology of protecting that vital equipment.
Obviously, protecting against credit card fraud means protecting the data itself. But regardless of how much security is applied directly to that information, cybercriminals can still get their hands on it via the physical devices through which the data is transmitted.
Thatâs why, on June 30, new PCI DSS (Payment Card Industry Data Security Standard) requirements were put in place that necessitate merchants to protect those very devices.
Specifically, Section 9.9 of PCI DSS 3.1 â which addresses protection of âdevices that capture payment card data via direct physical interaction with the card from tampering and substitutionâ â requires mid- to large-size retailers to track, among however many thousands of them exist in their ranks: the makes and models of devices; the device locations, and the device serial numbers (or other unique identifiers).
Joe Majka, Vice President & Chief Security Officer of Verifone, points out that, although these procedures are certainly necessary for tamper detection, âthey nonetheless represent yet another complication for merchants and acquirers.â
To begin with, Majka explains, although many retailers are already tracking their device information in some form or fashion, a potential issue is that a lot may not be doing so in a manner adhering to the specific compliance requirements. If thatâs the case, and a merchantâs devices â or (âmore ominously,â as Majka puts it) the network connecting them â are tampered with, they could be left on the hook for substantial liability.
As Majka points out, card skimming â the criminal activity of capturing payment card data by replacing legitimate payment devices with fraudulent ones â has impacted merchants âranging from the smallest single-shop operators, to some of the largest, most well-known retail chains.â Despite protective efforts made in terms of visual monitoring (âa key requirementâ in combating skimming, says Majka), the more skilled cybercriminals are nevertheless able to switch equipment and add skimmers, operating undetected for long periods of time.
How do they do get those phony devices in place to begin with? Majka observes that itâs stated plainly in the PCI DSS 3.1 requirements: âCriminals will often pose as authorized maintenance personnel in order to gain access to point of sale devices.â
Even though PCI DSS 3.1 establishes a number of processes for enforcing visual inspection, training employees on tamper detection, and procedures for using third parties to maintain devices, âthe human element,â remarks Majka, âis unfortunately always the weakest link,â regardless of what policies have been implemented.
He points out that Verifone âhas been working for years to make payment device estate management simpler and less costly.â The companyâs view, Majka explains, is that making device registration and monitoring âfast and easyâ and enabling remote, centralized management of thousands of devices can allow merchants to avoid the high costs and complexity of local control.
âWe believe that remote, centralized management should incorporate a unique âheartbeatâ feature,â he adds, âto regularly monitor the status of devices within an estate, which functions to provide real-time alerts via dashboard or email notification of suspect activity.â
Because cybercriminals often replace legitimate payment devices with fraudulent ones that look identical to the original equipment, visual detection â manually comparing serial numbers â was previously the primary means of defense in those cases. The âheartbeatâ feature, however, alerts personnel to deactivate one or more devices if tampering is detected or a device goes missing.
âWeâve long argued that security should be multilayered â incorporating EMV, end-to-end encryption and the decoupling of sensitive payment data from the point of sale,â concludes Majka. âIn the case of enforcing Section 9.9 of PCI DSS 3.1, we believe that the use of automated and remote terminal estate management technology can substantially boost the effectiveness of manual inspection processes.â
Joe Majka, Vice President and Chief Security Officer, Verifone
Majka is responsible for leading Verifoneâs global security operations. His areas of security oversight include products, services, hardware, facilities and emerging risk. He has more than 30 years of experience in the financial services sector, managing security, fraud, cybersecurity and data breach incident response. Joe has managed electronic payment fraud for Visa and is considered one of the leading industry experts in the industry.
For nearly two decades, Joe has spoken internationally on the subject of cybercrime and payment card fraud, and he has testified before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.