PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution

by Randy Bartels / January 31st, 2018

Inspect for Tampering or Substitution

PCI Requirement 9.9.2 is focused specifically on the physical inspection of devices that physically interact with payment card information. It states, “Periodically inspect device surfaces to detect tampering or substitution.” Complying with PCI Requirement 9.9.2 minimizes the potential use of fraudulent card-reading devices because periodic inspections will help you more quickly detect tampering and substitution.

Examples of Tampering

Tampering could be detected in many ways. If you see unexpected attachments or cables plugged into your device or different color casings, be suspicious. Photographs of devices that are known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Be especially on guard for finding a card skimmer attached to one of your card-reading devices.

Examples of Substitution

Does a device having missing or changed security labels? Have you checked serial numbers to verify nothing has been swapped with a fraudulent device? There are many methods to detect substitution. The PCI DSS also suggests using a secure marker, like a UV light marker, to mark your device’s surfaces.

Period Inspections

The location of the device, supervision of the device, and your annual risk-assessment process should all be factored into determining the frequency and type of inspections to implement. The PCI DSS explains, “Devices left in public areas without supervision by the organization’s personnel may have more frequent inspections than devices that are kept in secure areas or are supervised when they are accessible to the public.”

PCI Requirement 9.9.2 is specifically focused on the physical inspection of devices that you might have that interact with cardholder data. You are required to train your staff on how to inspect these devices. What are the types of things they’d be looking for to ensure they’ve not been modified? From an attacker’s perspective, individuals were buying these PTS devices off of eBay, compromising them, and selling them or sending them out to stores, compromising the information that would be flowing through them. This requirement is meant to address that. From an assessment perspective, we’ll be looking for the training that you’ve provided staff with, the policies and procedures you have around this, the training material you have, and evidence that you periodically inspect these devices for any unauthorized modification or tampering.