PCI DSS Requirement 9.9
April 28, 2015 - 2:00pm ET/9:00am PT
The new PCI DSS requirement 9.9 is currently a “best practice” that will become mandatory for compliance on July 1, 2015. This requirement was introduced in PCI DSS version 3.0 as a result of the inherent vulnerabilities of physical Point-of-Interaction (POI) devices. Recent high-profile attacks have shown that tampering, skimming, and device substitution at the POI is still seen as an opportunity to malicious individuals that want to steal cardholder data. The substitution of POIs or insertion of physical skimmers is relatively easy for a determined criminal. At the same time, advanced technologies (such as 3D printing and NFC), when coupled with outdated policies and undertrained staff, make POIs an especially appealing target.
The PCI council gave an additional six months for compliance with requirement 9.9 because of the complexity associated with developing and implementing wholly new organizational policy. The process of inspecting each device, tracking the devices in an inventory, and ensuring that staff responsible in the organization are prepared with the right training and tools all must be considered, decided, and acted upon.
As the deadline for this requirement rapidly approaches, it is important to become familiar with the new policies, procedures and training for merchant organizations that are necessitated by requirement 9.9. Attendees of this webinar will learn:
- What the requirement is explicitly asking organizations to do
- What should be considered when creating policies to comply
- How to efficiently implement controls that won’t cause an undo burden on the organization
- How properly implementing requirement 9.9 can help your organization reduce POI tampering and substitution attacks
- The requirement’s relationship to P2PE