The physical Point-of-Interaction (POI) devices that accept and process credit card transactions can be one of the most vulnerable attack vectors for criminals’ intent on stealing cardholder data. The combination of advancing technologies like 3D printing or near field communication (NFC) with outdated policies and untrained staff allows fraudsters an opportunity for substitution of POIs and insertion of physical skimmers that can result in huge losses of cardholder data.PCI-DSS_Requirement_9-9

To combat this, the Payment Card Industry Data Security Standard (PCI-DSS), Version 3.0 introduced a new requirement, found in Section 9.9. This requirement is currently a “best practice” but will become a mandatory requirement for compliance July 1, 2015. It mandates a new set of additional policies, procedures, and training for merchant organizations. Organizations that choose to delay the design, development, and implantation of these new processes until mid-2015 will be at risk of non-compliance with these new requirements.

A free white paper from Coalfire. Download here, registration required.