PCI DSS 3.1, Requirement 9.9 Changes

PCI DSS just released 3.1. As an organization that is focused on 9.9 specifically, we thought we'd provide you, our customers and prospects, some guidance around changes and what we believe to be the rationale.

You can grab the summary of changes on the PCI Website, and a copy of the standard v3.1 here.

Please keep in mind, we are only covering the 9.9 section changes here, and not anything else. As always, your assessor may have a different opinion than what is presented here. Here is our perspective.

So what exactly are the changes?

The changes specifically state the following:

Updated testing procedure to clarify both devices and device locations need to be observed.

What does this mean?

In general any testing procedures apply during assessment phase. So imagine your assessor is sitting in front of you, they would be asking you the following question:

"You have 1000 stores. Can we take a sample of this, this, and this other store. I'd like to see a list of devices currently in these stores, and how, when, and by whom have they been Inspected in the past year."

What is the rationale?

Your assessor is looking for the following information, which makes sense (in our minds anyway):

  1. Sample of Devices to make sure that the Device Information is correct:

    • Do we know the current status of this particular device?
    • What do we know about the history of the device?
    • Do we know where it is and where it has been?
  2. Sample of Locations to make sure that Location Information is correct:

    • What do we think the number of devices are in this location?
    • Does our thinking match reality?
    • How did we come up with an Inspection Period for this location in the first place?

The point of this exercise to reconcile the two facts together to get to the following conclusion (in the assessor's mind):

"If we think that this location x has 10 devices and can positively verify that the number is exactly 10; no-more, no-less...


If we think that each device that is in this location is supposed-to-be Inspected on a daily basis and can validate that...


We are reasonably certain that all locations are following almost exactly the same process."

If you are a math geek like me you might even call this Proof by Induction.

Customers that are using SpotSkim are covered. This clarification doesn't add anything new to what the solution provided already. As always we continue to make improvements to make your process more consistent, faster, and cheaper. If you are a customer and are worried about what these changes mean to you - please feel free to reach out to us using the Support section of the portal.

If you are not a customer and are interested in learning more about SpotSkim, you can contact us here.

Header image by Nana B Agyei, used under CC 2.0