The fundamentals of the thinking behind PCI DSS requirements is to protect cardholder data from being stolen. The PCI DSS requirement 3.1 contains 12 requirements a retailer must meet when accepting card payments. Compliance with PCI DSS however, is not only about ticking a box of compliance for each of the 12 requirements; it is a set of necessities that should be integrated into an organization’s overall security and best practice processes. Physical security of payment devices at the Point of Sale now has a requirement 9.9 of its own, and must be met by June 30th 2015.
The new requirement was implemented to fight skimming activities by criminals that seem to get more and more creative in their abilities to circumvent the technologies designed to stop them.
Below are some commonly held myths and misunderstandings surrounding the new requirements:
1. Requirement 9.9 is only about security processes and education
Not true! Requirement 9.9 state that a merchant must protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. This includes a complete and maintained list of all devices, that you perform regular inspection of devices from tampering and substitution and security training of staff to identify tampered devices. The best practice solutions, in combination with the above 3 resource heavy requirements, are to prevent substitution and tampering in the first place and this can be done by securing your devices as mentioned in the PCI Skimming Prevention: Best practice for Merchants version 2, pages 18 and 21:
“Mount and secure the terminal and cables with locking stands, cable trays, and other securing mechanisms”
“Some terminals have slots so that you can attach a cable lock (as used to secure laptop computers) to the terminal. This is strongly recommended as best practice”
2. Physical security for payment terminals is just best practice!
Not true! It is best practice until June 30th 2015, after which it becomes a requirement.
Preventing payment terminals from being tampered with or substituted is a requirement implemented in the PCI DSS 3.0 standard and carried onto PCI DSS 3.1. Solutions to meet the requirement is listed in the PCI Skimming Prevention: Best practice for Merchants ver. 2.0
3. We have P2PE terminals so we don’t need more security
Not true! PCI DSS 3.1 is still valid for P2PE solutions and the same requirements must be met. The requirements is to be found in the PCI P2PE standard, page 101, requirement 3A-4.2 where P2PE solution providers must ensure that instructions are given on how to physically secure deployed devices to prevent unauthorized removal or substitution. This requirement can be found in the vendor and solution providers PIM (P2PE Implementation Manual).
4. Implementing physical security is too expensive
Not true! The cost of implementing the correct security solutions and process is marginal compared to the cost of a potential breach and non-compliance. Fines for a breach and non-compliance can be as much as €395,000 (VISA) and on top of this comes cost for PCI Forensic investigations, reissuance of credit cards and loss of customers due to lack of trust to your organization.
5. Our Point of Sale Terminal is PCI approved so we do not need to do more
Not true! It is correct though that Payment terminals are PCI approved but this has nothing to do with the PCI DSS standard a retailer must comply with. PCI DSS 3.1 Requirement 9.9 must still be met regardless of type of terminal or technology
Read more about the latest PCI DSS 3.1 standards and a best practice guide to help prevent skimming.