PCI Requirement 9.9.1 – Maintain an Up-To-Date List of Devices

by Randy Bartels / February 7, 2023

 Keeping a List of Card-Reading Devices If your organization utilizes devices that physically interact with cardholder data (card-reading devices), PCI Requirement 9.9.1 requires that you maintain an up-to-date list of devices. This list should be updated whenever devices are added, relocated, decommissioned, etc. This list should include: Make and model of a device Location of a device Serial number of a device or other unique identification The maintenance of…

PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction with the Card from Tampering and Substitution

by Randy Bartels / December 20, 2022

 Protecting Card-Reading Devices Does your organization utilize card-reading devices? If so, you risk the chance of criminals tampering or manipulating your devices. PCI Requirement 9.9 tries to prevent this type of attack by requiring, “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” Card-reading devices include more than just the typical Ingenico device; this could include computer keyboards, POS keypads,…

PCI Requirement 9.8.2 – Render CHD on Electronic Media Unrecoverable

by Randy Bartels / December 20, 2022

 How to Destroy Electronic Media As part of your data disposal policies, PCI Requirement 9.8.2 requires, “Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” There are many methods for destroying electronic media, including: Secure Wiping – Use a secure, industry-accepted form of wiping to render data on a hard drive unreadable. Degaussing – Used to destroy data by demagnetizing a magnetic field on…

PCI Requirement 9.8.1 – Shred, Incinerate, or Pulp Hard-Copy Materials so CHD Cannot be Reconstructed

by Randy Bartels / December 20, 2022

 How to Dispose of Sensitive Documents PCI Requirement 9.8.1 requires you take two steps to securely dispose of sensitive documents: Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. Why do you need to use secure storage containers to secure materials that are going to be destroyed anyways? The use of secure storage containers…

PCI Requirement 9.8 – Destroy Media When it is no Longer Needed

by Randy Bartels / December 20, 2022

 Data Disposal Policies PCI Requirement 9.8 aligns with the methodology of many other PCI requirements: If you don’t need it, get rid of it. Remember PCI Requirement 3.1? It requires that organizations keep cardholder data storage to a minimum by implementing data retention and data disposal policies and procedures. PCI Requirement 9.8 is similar. It requires that organizations destroy media when it is no longer needed for business or…