Back

Inspect device surfaces to detect unauthorized substitution.


CONTROL ID
11869
CONTROL TYPE
Investigate
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitor for evidence of when tampering indicators are being identified., CC ID: 11905

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). (9.9.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. (9.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). (9.9.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). (9.9.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. (9.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Examine documented procedures to verify processes are defined to include the following: - Procedures for inspecting devices - Frequency of inspections. (9.9.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine documented policies and procedures to verify they include: - Maintaining a list of devices - Periodically inspecting devices to look for tampering or substitution - Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices. (9.9, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview responsible personnel and observe inspection processes to verify: - Personnel are aware of procedures for inspecting devices. - All devices are periodically inspected for evidence of tampering and substitution. (9.9.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All devices are periodically inspected for evidence of tampering and unauthorized substitution. (9.5.1.2.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented procedures to verify processes are defined for periodic inspections of POI device surfaces to detect tampering and unauthorized substitution. (9.5.1.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution. (9.5.1 Bullet 2, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. (9.5.1.2, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)