spotskim solution brief

The Solution Brief is an overview of PCI DSS requirement 9.9 that looks at what the Report On Compliance (ROC) template asks a Qualified Security Assessor (QSA) to inspect during an assessment and how SpotSkim helps merchants achieve compliance.



PCI DSS Requirement 9.9

New Physical Security Requirements for MErchants

Coalfire's Matt Getzelman reviews the upcoming requirement from a QSA's perspective with Termtegrity founder Vasu Nagendra lending his expertise on what makes a "good" inspection and other considerations for merchants as they plan to comply. 



Coalfire Perspective - SpotSkim as a PCI DSS Requirement 9.9 Compliance Tool

Termtegrity contracted Coalfire Systems Inc. (Coalfire) to evaluate the Termtegrity SpotSkim solution’s ability to aid organizations with PCI Compliance. Coalfire’s deep industry knowledge and independence from Termtegrity allows them to give an objective evaluation of SpotSkim with relation to requirement 9.9 of the PCI Data Security Standard (DSS).

This white paper overviews the testing procedures within each sub-requirement and gives a narrative around how an organization could leverage SpotSkim for each. It concludes by affirming that SpotSkim is a tool that makes management of and compliance with requirement 9.9 easier and simpler.

Coalfire SpotSkim Perspective PCI DSS 9.9

liquidnexxus - Understanding requirement 9.9

PCI DSS requirement 9.9 not only applies to merchants who accept credit cards, but ATMs as well. This paper discusses the requirement and its sub-controls with a focus on ATM inspection.

On 1 July 2015 the new Payment Card Industry (PCI) Data Security Standard (DSS) requirement 9.9 moves from a best practice to mandatory requirement for compliance. The requirement was added to the third revision of the DSS based on the global threat of Point-of-Interaction (POI) device tampering, substitution, and skimming.


halock - complying with pci dss requirement 9.9

With the release of PCI DSS v3.0, the 9.9 requirement was introduced to help organizations combat point of interaction (POI) device fraud by requiring them to inventory and inspect devices.Organizations are now expected to train personnel to look for suspicious activity with all physical devices. This is a major change, as previous versions of the DSS did not require any point of interaction inspections whatsoever.


Sysnet - pci dss v3.0 compliance: A closer look at requirement 9.9 

While EMV chip technology (chip & pin) and other technical measures have been effective at reducing card fraud in many countries across the world, criminals are increasingly resorting to physical attacks in order to steal cardholder data at the point of sale, or to devise new methods for data compromise.

To address this risk, in 2009 the Payment Card Industry Security Standards Council (PCI SSC) issued their skimming prevention information supplements to help merchants protect themselves against cardholder data exposure caused by the use of skimming (tampering) and substitution techniques. However this was always best practice advice and was not enforced in the Payment Card Industry Data Security Standard (PCI DSS).

Dr. Branden Williams - preventing terminal tampering

Requirement 9.9 consists of eight sub-requirements designed to add a layer of protection on one of the most visible parts of the cardholder data environment—the terminal. Over the last several years, these devices have been under increasing scrutiny by both attackers and the payment card industry at large. Terminals must pass through a PIN Transaction Security (PTS) standard assessment before boarding. These standards evolved specifically to add controls to the terminal itself through physical and electronic hardening. Since these devices are the first interaction with a payment card, the right kind of compromise could yield criminals with thousands of instances of payment card data...


Coalfire - Complying with PCI DSS REQUIREMENT 9.9

The physical Point-of-Interaction (POI) devices that accept and process credit card transactions can be one of the most vulnerable attack vectors for criminals’ intent on stealing cardholder data. The combination of advancing technologies like 3D printing or near field communication (NFC) with outdated policies and untrained staff allows fraudsters an opportunity for substitution of POIs and insertion of physical skimmers that can result in huge losses of cardholder data.

To combat this, the Payment Card Industry Data Security Standard (PCI DSS), Version 3.0 introduced a new requirement, found in Section 9.9. This requirement is currently a “best practice” but will become a mandatory requirement for compliance July 1, 2015...

Screen Shot 2014-12-22 at 10.12.59 AM.png



other resources

Here are additional external resources that will help with next steps if you suspect a compromise within your organization.