Obviously, protecting against credit card fraud means protecting the data itself. But regardless of how much security is applied directly to that information, cybercriminals can still get their hands on it via the physical devices through which the data is transmitted.

That’s why, on June 30, new PCI DSS (Payment Card Industry Data Security Standard) requirements were put in place that necessitate merchants to protect those very devices.

Specifically, Section 9.9 of PCI DSS 3.1 — which addresses protection of “devices that capture payment card data via direct physical interaction with the card from tampering and substitution” — requires mid- to large-size retailers to track, among however many thousands of them exist in their ranks: the makes and models of devices; the device locations, and the device serial numbers (or other unique identifiers).

Joe Majka, Vice President & Chief Security Officer of Verifone, points out that, although these procedures are certainly necessary for tamper detection, “they nonetheless represent yet another complication for merchants and acquirers.”

To begin with, Majka explains, although many retailers are already tracking their device information in some form or fashion, a potential issue is that a lot may not be doing so in a manner adhering to the specific compliance requirements. If that’s the case, and a merchant’s devices — or (“more ominously, ” as Majka puts it) the network connecting them — are tampered with, they could be left on the hook for substantial liability.

As Majka points out, card skimming — the criminal activity of capturing payment card data by replacing legitimate payment devices with fraudulent ones — has impacted merchants “ranging from the smallest single-shop operators, to some of the largest, most well-known retail chains.” Despite protective efforts made in terms of visual monitoring (“a key requirement” in combating skimming, says Majka), the more skilled cybercriminals are nevertheless able to switch equipment and add skimmers, operating undetected for long periods of time.

How do they do get those phony devices in place to begin with? Majka observes that it’s stated plainly in the PCI DSS 3.1 requirements: “Criminals will often pose as authorized maintenance personnel in order to gain access to point of sale devices.”