PCI DSS Requirement 9.9 

April 28, 2015 - 2:00pm ET/9:00am PT

The new PCI DSS requirement 9.9 is currently a “best practice” that will become mandatory for compliance on July 1, 2015. This requirement was introduced in PCI DSS version 3.0 as a result of the inherent vulnerabilities of physical Point-of-Interaction (POI) devices. Recent high-profile attacks have shown that tampering, skimming, and device substitution at the POI is still seen as an opportunity to malicious individuals that want to steal cardholder data. The substitution of POIs or insertion of physical skimmers is relatively easy for a determined criminal. At the same time, advanced technologies (such as 3D printing and NFC), when coupled with outdated policies and undertrained staff, make POIs an especially appealing target.  

The PCI council gave an additional six months for compliance with requirement 9.9 because of the complexity associated with developing and implementing wholly new organizational policy. The process of inspecting each device, tracking the devices in an inventory, and ensuring that staff responsible in the organization are prepared with the right training and tools all must be considered, decided, and acted upon.

As the deadline for this requirement rapidly approaches, it is important to become familiar with the new policies, procedures and training for merchant organizations that are necessitated by requirement 9.9. Attendees of this webinar will learn:

  • What the requirement is explicitly asking organizations to do
  • What should be considered when creating policies to comply
  • How to efficiently implement controls that won’t cause an undo burden on the organization
  • How properly implementing requirement 9.9 can help your organization reduce POI tampering and substitution attacks
  • The requirement’s relationship to P2PE

Webinar speakers

Matt Getzelman
PCI Practice Director, Coalfire

Matt is Coalfire's PCI Practice Director. He has more than ten years of experience working with financial systems security. His experience covers a broad spectrum of security disciplines from application and systems development to securing multiple distributed platforms, mainframe and acquiring financial environments. Matt has audit and assessment experience across the entire hierarchy of financial organizations from the largest processors and banks, Fortune 500 companies and on down to the smallest of merchants.  


Vasu Nagendra
CEO and Founder, Termtegrity

Vasu is the driving force behind the company's strategic direction, product strategy, and business development. Prior to founding Termtegrity, Vasu managed Sales Engineering for RSA, The Security Division of EMC, with a focus on RSA’s Payment Security, Data Encryption, and Data Loss Prevention Solutions. Prior to joining RSA, he was a key member of the Loss Prevention team at North America’s largest closeout retailer, Big Lots. Vasu holds a MS in Electrical Engineering from Wright State University. He is the named inventor on several patents related to Termtegrity's core business.