PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction

January 30, 2018
Learn more at https://kirkpatrickprice.com/video/pci-requirement-9-9-protect-devices-capture-payment-card-data-via-direct-physical-interaction-card-tampering-substitution/ Does your organization utilize card-reading devices? If so, you risk the chance of criminals tampering or manipulating your devices. PCI Requirement 9.9 tries to prevent this type of attack by requiring, “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” Card-reading devices include more than just the typical Ingenico device; this could include computer keyboards, POS keypads, and other card readers. Why provide physical security for card-reading devices? Criminals often attempt to capture cardholder data by stealing, manipulating, tampering, or substituting card-reading devices and terminals. For example, an attacker could steal devices in order to learn how to break into them. An attacker could also replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. It’s also become common for skimming components to be added to card-reading devices. The PCI SSC’s skimming prevention resource defines skimming as the unauthorized capture and transfer of payment data to another source. Its purpose is to commit fraud, the threat is serious, and it can hit any merchant’s environment. To comply with PCI Requirement 9.9, your organization must maintain a list of your card-reading devices, periodically inspect card-reading devices for tampering and substitution, and train your personnel on how to spot suspicious behavior and address it. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Previous Video
PCI Requirement 9 – Restrict Physical Access to Cardholder Data
PCI Requirement 9 – Restrict Physical Access to Cardholder Data

Learn more at https://kirkpatrickprice.com/video/pci-requirement-9-restrict-physical-access-cardholder-data...

Next Video
PCI Requirement 9.6 – Maintain Control Over the Internal/External Distribution of Any Kind of Media
PCI Requirement 9.6 – Maintain Control Over the Internal/External Distribution of Any Kind of Media

Learn more at https://kirkpatrickprice.com/video/pci-requirement-9-6-maintain-strict-control-internal-exter...