The physical Point-of-Interaction (POI) devices that accept and process credit card transactions can be one of the most vulnerable attack vectors for criminals intent on stealing cardholder data. The combination of advancing technologies like 3D printing or near field communication (NFC) with outdated policies and untrained staff allows fraudsters an opportunity for substitution of POIs and insertion of physical skimmers that can result in huge losses of cardholder data.
To combat this, the Payment Card Industry Data Security Standard (PCI-DSS), Version 3.0 introduced a new merchant requirement for inspection of payment devices.
This requirement, found in Section 9.9, is currently a "best practice" but will become a mandatory requirement for compliance July 1, 2015. It mandates a new set of additional policies, procedures, and training for merchant organizations. Given these demands, it is recommended to start planning for the requirement now. Organizations that choose to delay the design, development, and implantation of these new processes until mid-2015 will be at risk of non-compliance with these new requirements.