[PCI DSS 3.0] 9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimme

9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

9.9.2.a Examine documented procedures to verify processes are defined to include the following:
• Procedures for inspecting devices
• Frequency of inspections.

9.9.2.b Interview responsible personnel and observe inspection processes to verify:
• Personnel are aware of procedures for inspecting devices.
• All devices are periodically inspected for evidence of tampering and substitution.

Regular inspections of devices will help organizations to more quickly detect tampering or replacement of a device, and thereby minimize the potential impact of using fraudulent devices.
The type of inspection will depend on the device— for example, photographs of devices that are known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed.
Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also be able to provide security guidance and “how to” guides to help determine whether the device has been tampered with.
The frequency of inspections will depend on factors such as location of device and whether the device
is attended or unattended. For example, devices left in public areas without supervision by the organization’s personnel may have more frequent inspections than devices that are kept in secure areas or are supervised when they are accessible to the public. The type and frequency of inspections is determined by the merchant, as defined by their annual risk-assessment process.