9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
[I]Note: These requirements apply to card- reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement. [/I]
9.9 Examine documented policies and procedures to verify they include:
• Maintaining a list of devices
• Periodically inspecting devices to look for tampering or substitution
• Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices.
Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add “skimming” components to the outside of devices, which are designed to capture payment card details before they even enter the device—for example, by attaching an additional card reader on top of the legitimate card reader so that the payment card details are captured twice: once by the criminal’s component and then by the device’s legitimate component. In this way, transactions may still be completed without interruption while the criminal is “skimming” the payment card information during the process.
This requirement is recommended, but not required, for manual key-entry components such as computer keyboards and POS keypads.
Additional best practices on skimming prevention are available on the PCI SSC website.