WEBVTT 00:00:00.000 --> 00:00:02.330 Let's talk about nonstandard point of sale. 00:00:02.330 --> 00:00:02.593 Again, 00:00:02.593 --> 00:00:05.366 something that we don't see in Europe very much apart 00:00:05.366 --> 00:00:08.465 from on ticketing machines actually, surprisingly. 00:00:08.465 --> 00:00:08.939 Gas stations, 00:00:08.939 --> 00:00:12.896 I think is a big thing in America for a --- I keep reading on the internet, 00:00:12.896 --> 00:00:17.901 but mostly on Krebs actually, about people taking card data from gas stations. 00:00:17.902 --> 00:00:20.176 Gas stations, parking meters, 00:00:20.176 --> 00:00:23.021 all those type of devices that you wouldn't normally think 00:00:23.021 --> 00:00:25.872 of as being connected to a huge network, 00:00:25.872 --> 00:00:32.702 attackers love to go and place very simple skimmers on those type of devices. 00:00:32.703 --> 00:00:34.942 So those physical attacks against gas stations, 00:00:34.942 --> 00:00:37.887 what controls in PCI DSS would protect a merchant, 00:00:37.887 --> 00:00:40.206 or a gas merchant, against that? 00:00:40.206 --> 00:00:44.772 There are a number of controls that actually protect against that, 00:00:44.772 --> 00:00:45.974 layered approaches. 00:00:45.974 --> 00:00:51.008 One is actually physically examining those devices from time 00:00:51.008 --> 00:00:54.351 to time to see if they've been altered, to see if they've been tampered with. 00:00:54.351 --> 00:00:55.402 Is that easy to do? 00:00:55.402 --> 00:00:57.665 Are these skimmers invisible now or ---? 00:00:57.665 --> 00:01:00.090 They can get more sophisticated. 00:01:00.091 --> 00:01:07.598 We've seen one that looked no more dangerous than a piece of scotch tape. 00:01:07.598 --> 00:01:09.941 It was just, the attacker could place it over, 00:01:09.941 --> 00:01:13.402 and it's hard to spot unless you're actually trying to spot it. 00:01:13.403 --> 00:01:17.082 If you know it's there, then it gets a little bit more difficult, 00:01:17.082 --> 00:01:20.683 but very few people are, everybody's in a rush when they're at the gas pump, 00:01:20.683 --> 00:01:20.848 right? 00:01:20.848 --> 00:01:21.439 Yeah. 00:01:21.439 --> 00:01:25.075 And even as jaded as I am in this industry, 00:01:25.076 --> 00:01:28.038 I don't check every single time I go to the gas pump to 00:01:28.038 --> 00:01:30.194 see if there's a skimmer on that device. 00:01:30.194 --> 00:01:36.255 But a number of PCI controls can help mitigate even physical attacks, 00:01:36.255 --> 00:01:40.761 like those against a gas pump, monitoring your physical security, 00:01:40.761 --> 00:01:41.688 checking your logs. 00:01:41.688 --> 00:01:46.525 The gas pumps still maintain their logs so they can go through 00:01:46.525 --> 00:01:49.326 and --- check your logs from time to time. 00:01:49.326 --> 00:01:52.338 Look at the audits that you have. 00:01:52.338 --> 00:01:54.661 Obviously with the move to chip, 00:01:54.661 --> 00:01:58.566 the US is going to see the sort of attacks we saw in Europe. 00:01:58.567 --> 00:02:01.208 So we don't tend to get skimmers. 00:02:01.208 --> 00:02:02.495 We tend to get two sorts of things. 00:02:02.495 --> 00:02:06.233 We tend to get overlay attacks where somebody builds an 00:02:06.233 --> 00:02:08.498 overlay and puts it right over the whole, 00:02:08.499 --> 00:02:11.959 entire point-of-sale machine, and it's got a skimmer build into the overlay, 00:02:11.960 --> 00:02:13.529 and it's wired the PIN cards. 00:02:13.529 --> 00:02:15.315 Have you seen, have you started to see those in the states? 00:02:15.315 --> 00:02:17.202 I have not seen one of those myself. 00:02:17.203 --> 00:02:20.387 I'm kind of looking forward to it, unfortunately. 00:02:20.388 --> 00:02:21.961 But we don't see those. 00:02:21.961 --> 00:02:31.429 We have seen kind of a move away from the POS attacks because as 00:02:31.429 --> 00:02:36.159 the Chip and PIN gets more fully integrated here, 00:02:36.160 --> 00:02:39.352 that data becomes less viable to the attacker. 00:02:39.353 --> 00:02:41.999 And so, not that we don't see the attacks. 00:02:42.000 --> 00:02:43.859 They're still wanting that data. 00:02:43.859 --> 00:02:45.586 But they're collecting the card, 00:02:45.587 --> 00:02:51.455 but then they have to use that card in less convenient ways like taking it to a 00:02:51.455 --> 00:02:54.765 card not present transaction such as an internet website. 00:02:54.766 --> 00:02:57.461 But then they'd have the CVV too, and so it makes the attack harder. 00:02:57.461 --> 00:02:58.461 Exactly.