Understanding PCI DSS Requirement 9.9

Compliance, Considerations, Solutions

PCI DSS requirement 9.9 not only applies to merchants who accept credit cards, but ATMs as well. This paper discusses the requirement and its sub-controls with a focus on ATM inspection.

On 1 July 2015 the new Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 moves from a best practice to mandatory requirement for compliance. The requirement was added to the third revision of the DSS based on the global threat of Point-of-Interaction (POI) device tampering, substitution, and skimming.