PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction with the Card from Tampering and Substitution

by Randy Bartels / January 31st, 2018

Protecting Card-Reading Devices

Does your organization utilize card-reading devices? If so, you risk the chance of criminals tampering or manipulating your devices. PCI Requirement 9.9 tries to prevent this type of attack by requiring, “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” Card-reading devices include more than just the typical Ingenico device; this could include computer keyboards, POS keypads, and other card readers.

Why provide physical security for card-reading devices? Criminals often attempt to capture cardholder data by stealing, manipulating, substituting, or tampering with card-reading devices and terminals. For example, an attacker could steal devices in order to learn how to break into them. An attacker could also  replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. It’s also become common for skimming components to be added to card-reading devices. The PCI SSC’s skimming prevention resource defines skimming as the unauthorized capture and transfer of payment data to another source. Its purpose is to commit fraud, the threat is serious, and it can hit any merchant’s environment.

To comply with PCI Requirement 9.9, your organization must maintain a list of your card-reading devices, periodically inspect card-reading devices for tampering and substitution, and train your personnel on how to spot suspicious behavior and address it.

PCI Requirement 9.9 is new to the PCI DSS as of late. This particular requirement calls out the need for providing physical security for any device that might physically interact with cardholder data. This might be a physical or electronic device like an Ingenico device that you swipe for payment, it might be a keyboard that you swipe a card in, or it might be a card-swipe device that you put on the side of your terminal or monitor in order to take a card swipe. PCI Requirement 9.9 would apply to all of these. In this situation, PCI Requirement 9.9 says that you need to implement controls to protect these devices from unauthorized tampering and modification.