PCI DSS Requirement 9 is fully dedicated to the physical security of cardholder data and how to protect it from criminals. Stealing cardholder data is not limited to hacking wizardries done remotely on computer systems. Criminals often attempt to access cardholder data by physically stealing hardware containing the data (a database server, a computer containing excel files and so on) or paper receipts with cardholder data (for business processing Mail Order which is quite common). Another very common practice is tampering with or substituting legitimate card reading devices.

C:\Users\Igor\Desktop\ntt\Website\Blog\images\pci-dss-requirement-9.9-card-reading-devices-terminals.png

In general, throughout the PCI DSS the term “media” is used to identify any kind of support (papers, disks, computers etc..) that contain cardholder data. As criminals may gain access to those supports and steal data, the PCI SSC has spent 5 pages of their latest version of the security standard  - PCI DSS 3.1 published in April 2015 - on this particular requirement.

To help protect cardholder data from a physical point of view, the PCI DSS Requirement 9 has been created with 10 sub-requirements. Each one of them is dedicated to a different aspect of the physical security, and explains how to complete some particular tasks.

9.1 Monitor the physical access of personnel and visitors to the store using entry codes
9.2 Develop procedures to recognize personnel and visitors
9.3 Control the physical access of personnel and visitors to the store
9.4 Implement procedures to monitor physical access
9.5 Secure all media
9.6 Control the internal distribution of media
9.7 Monitor the way media are stored and accessed
9.8 Destroy un-needed media
9.9 Protect card-reading devices and terminals, used to capture cardholder data
9.10 Document all the procedures and policies related to protecting cardholder data

 

Let’s focus on the sub-requirement 9.9 for the moment, and try to break it down to understand what it means to comply with it for organizations that accept payments through a card-reading device or terminal and that want to achieve PCI Compliance.

Who should comply with PCI DSS Requirement 9.9?

Complying with requirement 9.9 applies only to organizations that accept card-present type of transactions, based on face-to-face interactions between the cashiers and the customers. The most common devices that allow this type of transaction are the PoS (Point-of-Sale) and the PED (PIN Entry Device). Whether your card-reading devices or terminals are standalone dial-out terminals or connected to a network, they fall into this category because they involve a physical interaction with payment cards and cardholders. Protecting devices and terminals is the only way to prevent criminals from tampering with them, steal or replace them with manipulated ones, skim components, attach additional devices with the goal of collecting cardholder data while the transaction happens.

As the original publication from PCI SSC states,

"this requirement is also recommended, but not required, for manual key-entry components such as computer keyboards and POS keypads”

This means that it’s strongly suggested to protect any type of device that allows cardholder data to be entered with the goal of accepting a payment.

The following paragraphs of this article concentrate on three major aspects in which requirement 9.9 is divided; each one of them explains how to carry a particular series of tasks, which are:

  • Maintaining a list of devices;
  • Periodically inspecting devices to look for tampering or substitution;
  • Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices.

Sub-Requirement 9.9.1 - Maintaining a list of devices

Monitoring the physical security of card-reading devices and terminals starts from a number of important details that organizations must track from the moment the device is unpacked and starts getting used. Creating a list of devices is definitely the way to go to start having control of each device. This is the minimum amount of details to track is:

  • Make;
  • Model;
  • Location of device (for example, the address of the site or facility where the device is located);
  • Device serial number;
  • Other method of unique identification.

Maintaining this list up to date is what organizations have to do to comply with this PCI DSS requirement. Most of them carry this task using complex spreadsheet and doing a lot of manual work. The task is theorically easy to complete when you deal with one terminal only and you are a very tidy manager, but it becomes more complicated with a growing number of terminals to keep under control, especially if they are used in different locations.

Sub-Requirement 9.9.2 - Periodically inspecting devices

The goal of this task is to detect tampering, skimming or substitution of card-reading devices and terminals. The main asset needed to complete this task is the creation of procedures on how to inspect devices. These procedures have to be documented and the personnel must learn how to apply them in order to understand if any of the devices has been tampered with, skimmed or replaced.

The PCI DSS 3.1 documentation suggests a few ways to inspect each device according to the type of device. Taking pictures is a great way to compare a device’s current appearance with its original appearance to see whether it has changed. A secure marker pen (such as a UV light marker) is a good way to mark device surfaces and device openings, so any tampering or replacement will be apparent. In fact, tampering techniques include the replacement of outer casing of a terminal for instance.

The risk of tampering, skimming and replacement of card readers grows when these devices are left unattended. In such cases, it is important to inspect them more frequently than devices that are constantly under control or in direct contact with the onsite personnel. Instruction about the type and frequency of inspections depend on the particular organization and are included in the documentation created to explain the inspections procedures.

Sub-Requirement 9.9.3 - Training onsite personnel

Last but not least, all personnel should be trained to apply the procedures created to inspect the payment card readers. Criminals might be able to get physical access to an organization appearing as authorized maintenance personnel. They use a series of tricks to do that, such as camouflage and acting, or simply sending new devices to a specific address’ location with instructions on how to install and use them. Their goal is to get in touch with card-reading devices or have their own ones in use.

So, first of all make sure you train your onsite personnel to:

“verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices”

This task can be completed in various ways. For instance by checking internally with colleagues who can confirm the identity of the third-party personnel or even better by calling directly the POS maintenance company and ensure that they are real employees.

But this is not everything; the sub-requirement 9.9.3 tells us more. Train your onsite personnel to:

  • Not permit the installation of software without confirming the identity of the third party personnel;
  • Not accept the replacement or returning of devices without confirming the identity of the third party personnel;
  • Beware and report about suspicious behavior around the devices (to avoid tampering and substitution).

It is crucial for the organization to help their onsite personnel carrying these tasks in two important ways:

  1. Keeping documentation always up to date for each point-of-sale locations.
  2. Running interviews to a sample of personnel to make sure that they have received training as expected.

Conclusions

Requirement 9.9 is a relatively new one. It was published with PCI DSS 3.0 and it evolved with PCI DSS 3.1. It is currently effective from the 1st of July 2015, this means that not complying with it today reflects to not being PCI Compliant.

The most common problems experienced by organization with this requirement are related to planning and amount of work to carry. Organizations may forget to inspect their card-reading devices and terminals regularly and they would benefit of reminders and notifications. The devices to protect and monitor might be several, and spread over a large territory. Organization would enjoy a centralized database and a dashboard from which they could monitor each location and terminal in use.

Take a look at ZeroRisk PINpoint! If you are an organization that uses card-reading devices and terminals, you must protect them and you would benefit from the use of a solution that helps you do this in an easy and cost effective way.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA