Supermarket Chain Notifies Customers Of Self Checkout Skimming

Customers of Lucky Supermarkets, a subsidiary of Save Mart Supermarkets, got an early Thanksgiving gift when they were notified that 20 Lucky Supermarkets and one Save Mart store in California had discovered skimming devices inside those stores’ self checkout systems.  As retailers move to more and more automation surrounding checkout, the more risk they take on unless they put in place controls to minimize those risks.

Grocery stores can learn a lot from gas stations and convenient stores and the controls these organizations have put in place to secure gas pumps.

• Locks are keyed the same.  It turned out that gas pump manufacturers for as far back as they have had locks on pumps use the same keys.  I worked at a gas station when I was in high school a long, long time ago.  Yet, six years ago conducting a security review for a State Transportation Department, I found that the pump keys that I had neglected to return 30 years earlier would open the gas pumps at the maintenance garages.  Whoa!  Turns out self checkout manufacturers have the same problem unless you request them to use a different key and lock combination.  So the first lesson to learn is to explicitly request a unique to your organization lock and key set for your self checkout units.
• Locks are not perfect.  Even if you change out the locks, they can still be picked fairly quickly by someone who knows what they are doing.  So, for a second level of defense, you need to add serialized tamperproof tape to the doors that allow access to the inside of the self checkout unit.  Newer self checkout units only allow ease of access to change out the register tape and nothing else.  Only authorized technicians have the ability to gain access to the rest of the device.  However, best practice is to put serialized tape on all of the doors regardless.
• You may need tamperproof tape inside.  Older (age is all relative) self checkout units allow access to too much of the internal workings and/or do not have tamperproof parts inside the cabinet.  That means that “bad guys” can insert a skimmer without any obvious changes.  To avoid that problem, you can wrap connections with tamperproof tape so that if anyone attempts to take the connectors apart, it will be obvious upon inspection of the tamperproof tape.  Discuss your situation with your self checkout vendor as they can advise you on what should be taped.
• Locally monitor your equipment.  The serial numbers on the tape need to be recorded on a log sheet and the tape (inside and outside) should be checked at every manager shift change.  Any tape that appears to have been tampered with should be investigated and that unit taken out of service until an authorized technician deems it safe to put back in service.  In addition, video monitoring should be in place to monitor each self checkout.  Staff should be present at all time to monitor these devices.  Typically a single person can cover two isles compromised of a total of four self checkout devices.  Any more than that and your staff can be easily distracted and miss someone tampering with a device.
• Remotely monitor your equipment.  Most self checkout devices have the ability to be centrally managed and monitored.  In the event a door is opened, the unit can send an alert to the central monitoring console.  When an alert is generated, operations personnel should immediately contact the retail outlet and have store management immediately investigate the alert and inform the central monitoring station of the devices status.  If the store is not in operation, then the central operations personnel should contact local law enforcement and store management that an emergency exists at the store.

As a friendly reminder, security is not perfect.  These controls have to be executed perfectly every day, every year.  That is where things always go awry.  However, if you do execute these controls consistently, your organization should be very difficult to compromise.  The “bad guys” will know that and will find an easier target.

Of Redirects And Reposts

There are two major techniques in e-Commerce these days for processing payments: redirects and reposts.  Redirects are when the e-Commerce site sends their customer to the payment processor’s site for the processing of the payment.  Reposts are where the e-Commerce site posts the payment data to the payment processor by just changing the URL used to post the data to the processor’s site.

I have had a number of clients and prospects recently prompt me on my take regarding this topic as they are attempting to shrink their PCI compliance footprint as small as possible.  A lot of them like the idea of the repost because it requires only a simple change to their existing e-Commerce sites.  But all of them are concerned about whether or not one technique reduces their PCI compliance footprint more than the other.  So, here is my take on the subject.

Redirect

Redirects cause a new window or a new page to be generated to the on-line customer.  This windows/page is where the e-Commerce site’s customer will enter their credit card information to pay for their e-Commerce order.  This window/page is code written by the payment processor and usually carries a URL that is not the same as the e-Commerce site.  Typically, while the e-Commerce merchant’s logo may appear on the window/page, the processor’s logo will also appear.  As a result, it is usually very clear to the customer that this is not the e-Commerce site any more.

Regardless of the identifiers that this new window/page does not belong to the e-Commerce site, the key fact in the redirect method is that the window/page is driven by code developed by the processor, not the e-Commerce organization.  As a result, it is the processor’s responsibility to ensure this windows/page is PCI compliant and protects cardholder information.  The e-Commerce site is not in-scope for PCI compliance since it does not process, store or transmit cardholder data.

Repost

In the repost scenario, the e-Commerce site is collecting the cardholder information and is then posting that information to the processor.  From a customer perspective, the e-Commerce site is the processor of their credit card.  And while the e-Commerce site is typically not storing the cardholder data, the e-Commerce site is processing and transmitting cardholder data.  So, the e-Commerce site is in-scope for PCI compliance because the code of the e-Commerce site is collecting and transmitting cardholder data.  As a result, the e-Commerce site could be manipulated by an attacker to send the cardholder data to the processor and any other location on the Internet.

Under the repost scenario, the control of cardholder data is under the purview of the e-Commerce organization and the processor has no input as to the how the cardholder data is controlled until it receives it from the e-Commerce site.  Therefore, the e-Commerce organization is responsible for the safety and security of the cardholder data and that puts the e-Commerce site in-scope for PCI compliance.

So for all of you trying to minimize your PCI compliance footprint, there is my take on redirects versus reposts.  If you really want to minimize your compliance footprint, use the redirect approach.