PCI (Payment Card Industry Security Standard)_Req 9.9.2

PCI (Payment Card Industry Security Standard)

Restrict physical access to cardholder data

Req 9.9.2

9.9.2 Periodically inspect device surfaces to detect tampering (for example addition of card skimmers to devices) or substitution (for example by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device missing or changed security labels broken or differently colored casing or changes to the serial number or other external markings.

Regular inspections of devices will help organizations to more quickly detect tampering or replacement of a device and thereby minimize the potential impact of using fraudulent devices. The type of inspection will depend on the device- for example photographs of devices that are known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen such as a UV light marker to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering and these methods may help to detect such activities. Device vendors may also be able to provide security guidance and “how to” guides to help determine whether the device has been tampered with. The frequency of inspections will depend on factors such as location of device and whether the device is attended or unattended. For example devices left in public areas without supervision by the organization’s personnel may have more frequent inspections than devices that are kept in secure areas or are supervised when they are accessible to the public. The type and frequency of inspections is determined by the merchant as defined by their annual risk-assessment process.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video