PCI DSS Requirement 9.5: When Different Worlds Collide

Introduction

As a retailer, you might face some resistance from your business's key stakeholders, when trying to implement a security risk-based approach to 9.5:

9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.

However, what if you were to convey in terms of operational resilience, in a manner that had more meaning to these reluctant business key stakeholders?

i.e.,

• A Maintenance Inspection Schedule.

Suddenly you are starting to speak their language, as they need operational Point Of Interact (POI) devices to take card payments from their customers.

Whilst carrying out periodic maintenance inspections, couldn't they also be meeting the objective of 9.5?

"Criminals attempt to steal payment card data by stealing and/or manipulating card-reading devices and terminals. Criminals will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card data every time a card is entered."

Key Elements of PCI DSS Requirement 9.5.

Instantly, by linking the 9.5 PCI DSS Requirement and the sub-requirements to operational resilience and the retailer's Mission Statement, this is seen as having more importance than just meeting the PCI DSS compliance requirements.

The Importance of Operational Resilient POI Devices

Let's look at a fictional example of a retailer, with the following Mission Statement:

"At ACME Limited, our mission is to redefine the retail landscape by prioritizing the customer at every turn. We are dedicated to building unwavering trust through transparency, reliability, and personalized service.

Our aim is to serve our customers by understanding their needs deeply and responding with innovative solutions that enhance their shopping experience.

We believe in creating memorable moments for every customer, ensuring their journey with us is not just transactional but truly transformative. By consistently exceeding expectations and embracing the power of feedback, we commit to continuous improvement and excellence in all we do.

ACME Limited is more than a retailer; we are a partner in our customers' lives, delivering value, convenience, and joy with every interaction."

Having sufficient operational POI devices is essential to ACME Ltd's Mission Statement and, consequently, an effective maintenance inspection schedule becomes vitally important. Now, what if the maintenance inspection schedule and staff training just happened to clandestinely cover all of the elements needed for PCI DSS compliance?

WIN, WIN?

Recommendation

The bottom line is that if a retailer has a dependency on POI devices so that they can take card payments from their customers, then those POI devices become Important Business Systems (IBSs) and will need to have their integrity and availability safeguarded.

Consequently, whilst the retail staff are carrying out their maintenance checks (inventory, damaged casing, frayed cables, etc.), they are also helping to protect the same POI devices from tampering and unauthorized substitution.

Additionally, where these two worlds come together can be an excellent basis for the Targeted Risk Analysis (TRA) to define the inspection schedule:

1. Identify the Asset(s) being protected.
2. Identify the threat(s) that the requirement is protecting against.
3. Identify the factor(s) that contribute to the likelihood and/or impact of the threat being realized.
4. Describe the analysis of and justification for how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
5. Is an updated analysis needed, based on an annual review?
6. Are there defined and documented policies and procedures for performing the entity’s targeted risk analyses (TRA) consistently?

Ask yourself:

Which of these would NOT be a consideration for operational resilience?

Conclusion

For a retailer with a dependency on POI devices, in support of their business success, having the continued availability of operational POI devices spans across both the PCI DSS v4.0 and the operational resilience worlds.

In explaining this through the safeguarding of the business's mission statement, using the business impact perspective, you reduce the likelihood of being faced with any internal resistance to change, caused by these enhanced operational procedures.