Implementing PCI Requirement 9.10

PCI Requirement 9 states, “Restrict physical access to cardholder data.” Complying with PCI Requirement 9 is critical to ensuring that cardholder data is physically accessed only by authorized personnel. For this requirement, we’ve discussed aspects of physical security such as facility entry controls, visitor identification and access controls, how to physically secure media, controlling the distribution of media, how to destroy media, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 9.10.

PCI Requirement 9.10 states, “Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and operational procedures need to be known and in use by all relevant parties. It is not sufficient that you generate documentation just for the sake of the audit; it is a requirement of this framework that the affected parties use the policies and procedures. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and operational procedures understands what they are. If PCI Requirement 9.10 is not met, your cardholder data could be left vulnerable.

PCI Requirement 9.10 requires that you as an organization maintain policies and procedures around physical security. There are numerous policies and procedures that you should have that define the need for protecting the data center and protecting the physical devices that interact with cardholder data. Your assessor should be asking you for these policies and procedures, they should be interviewing your staff to make sure that what you have documented in your policies is actually in use, and that everything necessary for PCI Requirement 9 is documented.

Training on Tampering

Your organization must protect the integrity of devices that physically interact with cardholder data. PCI Requirement 9.9.3 requires that your organization provide training for personnel to be aware of attempted tampering or replacement of devices. This training needs to include:

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Criminals often pose as authorized maintenance personnel to gain access to your POS devices.
  • Do not install, replace, or return devices without verification. It’s common for criminals to send a “new” POS system/device in hopes that they will trick you into following their instructions to return the legitimate system to them, and you will install their fraudulent device.
  • Be aware of suspicious behavior around devices, for example, attempts by unknown persons to unplug or open devices.
  • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel, like a manager or security officer.

To verify compliance with PCI Requirement 9.9.3, your assessor will review the training material you give personnel, interview personnel about the training they’ve received. They want to see that the training you have established is helping to implement PCI Requirement 9.9.

Wherever your organization might have a device that physically interacts with cardholder data, it’s required that you provide training to your staff to ensure the integrity of those devices. From an assessment perspective, we’re going to look to see that you’ve provided training and look at the training material. We’re going to interview the staff and ask them what training they’ve received, making sure that they understand they should not be swapping out these devices without some type of management authorization. If something shows up in the mail and says, “This is your new POS device, please install, then send us back the old one,” your employee will know this shouldn’t be happening. From an assessment perspective, we’re looking at the policies, procedures, and training that you’ve provided your staff and verifying that your staff is actually carrying out the activities that you’ve defined within your policies and procedures.

Inspect for Tampering or Substitution

PCI Requirement 9.9.2 is focused specifically on the physical inspection of devices that physically interact with payment card information. It states, “Periodically inspect device surfaces to detect tampering or substitution.” Complying with PCI Requirement 9.9.2 minimizes the potential use of fraudulent card-reading devices because periodic inspections will help you more quickly detect tampering and substitution.

Examples of Tampering

Tampering could be detected in many ways. If you see unexpected attachments or cables plugged into your device or different color casings, be suspicious. Photographs of devices that are known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Be especially on guard for finding a card skimmer attached to one of your card-reading devices.

Examples of Substitution

Does a device having missing or changed security labels? Have you checked serial numbers to verify nothing has been swapped with a fraudulent device? There are many methods to detect substitution. The PCI DSS also suggests using a secure marker, like a UV light marker, to mark your device’s surfaces.

Period Inspections

The location of the device, supervision of the device, and your annual risk-assessment process should all be factored into determining the frequency and type of inspections to implement. The PCI DSS explains, “Devices left in public areas without supervision by the organization’s personnel may have more frequent inspections than devices that are kept in secure areas or are supervised when they are accessible to the public.”

PCI Requirement 9.9.2 is specifically focused on the physical inspection of devices that you might have that interact with cardholder data. You are required to train your staff on how to inspect these devices. What are the types of things they’d be looking for to ensure they’ve not been modified? From an attacker’s perspective, individuals were buying these PTS devices off of eBay, compromising them, and selling them or sending them out to stores, compromising the information that would be flowing through them. This requirement is meant to address that. From an assessment perspective, we’ll be looking for the training that you’ve provided staff with, the policies and procedures you have around this, the training material you have, and evidence that you periodically inspect these devices for any unauthorized modification or tampering.

Keeping a List of Card-Reading Devices

If your organization utilizes devices that physically interact with cardholder data (card-reading devices), PCI Requirement 9.9.1 requires that you maintain an up-to-date list of devices. This list should be updated whenever devices are added, relocated, decommissioned, etc. This list should include:

  • Make and model of a device
  • Location of a device
  • Serial number of a device or other unique identification

The maintenance of this list could be automated (a device-management system) or manual (electronic or paper records), but all of the information above needs to be listed. This requirement wants you to maintain an up-to-date list of devices to help your organization keep track of where devices are supposed to be. If a device is missing, this list will quickly identify that.

An assessor will most likely take a sample from your list of card-reading devices and attempt to find them based off the information that the list gives them. Assessors may also have members of your staff participate in this exercise to ensure PCI Requirement 9.9.1 is implemented.

Wherever you have a device that physically interacts with cardholder data, PCI Requirement 9.9.1 requires that you maintain a list of these devices. This list is inclusive of several things, the make, the model, and the description of where it’s at, what it looks like – all things to help identify where these devices are and what they are. Your assessor is going to be asking you for that list of any devices that physically interact with cardholder data and looking to see whether you have that unique identifier, like a serial number or something that makes it unique to that particular asset. For this requirement, maintain the list. In subsequent requirements, we’ll talk about the assessment activities around that particular list.

Protecting Card-Reading Devices

Does your organization utilize card-reading devices? If so, you risk the chance of criminals tampering or manipulating your devices. PCI Requirement 9.9 tries to prevent this type of attack by requiring, “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” Card-reading devices include more than just the typical Ingenico device; this could include computer keyboards, POS keypads, and other card readers.

Why provide physical security for card-reading devices? Criminals often attempt to capture cardholder data by stealing, manipulating, substituting, or tampering with card-reading devices and terminals. For example, an attacker could steal devices in order to learn how to break into them. An attacker could also  replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. It’s also become common for skimming components to be added to card-reading devices. The PCI SSC’s skimming prevention resource defines skimming as the unauthorized capture and transfer of payment data to another source. Its purpose is to commit fraud, the threat is serious, and it can hit any merchant’s environment.

To comply with PCI Requirement 9.9, your organization must maintain a list of your card-reading devices, periodically inspect card-reading devices for tampering and substitution, and train your personnel on how to spot suspicious behavior and address it.

PCI Requirement 9.9 is new to the PCI DSS as of late. This particular requirement calls out the need for providing physical security for any device that might physically interact with cardholder data. This might be a physical or electronic device like an Ingenico device that you swipe for payment, it might be a keyboard that you swipe a card in, or it might be a card-swipe device that you put on the side of your terminal or monitor in order to take a card swipe. PCI Requirement 9.9 would apply to all of these. In this situation, PCI Requirement 9.9 says that you need to implement controls to protect these devices from unauthorized tampering and modification.