Here is one for the technical crowd:

In hopes of not needing to buy cameras to satisfy Section 9, we are employing MAC address filtering at our switches for each device. Of course, if someone can connect an in-line sniffer between POS, etc and the switch - this would defeat this countermeasure. The catch is this sniffer (more like a skimmer) would only work if it did not have a MAC address. Is this possible? I thought any sniffer would need an Ethernet address. I could see this device simply capturing the packets and storing locally - and no way to detect.

Is this possible theoretically and has anyone seen this kind of exploit?

The CCTV/camera requirement in Section 9 is for data centres (or other locationslike a mail room) where you either store, process or transmit CHD.

MAC filtering on ports isn't going to be an effective compensating control that provide the physical entry audit trail and deterrent effect that well implemented CCTV does.

lyalc

Here is one for the technical crowd:

In hopes of not needing to buy cameras to satisfy Section 9, we are employing MAC address filtering at our switches for each device. Of course, if someone can connect an in-line sniffer between POS, etc and the switch - this would defeat this countermeasure. The catch is this sniffer (more like a skimmer) would only work if it did not have a MAC address. Is this possible? I thought any sniffer would need an Ethernet address. I could see this device simply capturing the packets and storing locally - and no way to detect.

Is this possible theoretically and has anyone seen this kind of exploit?

yes it's possible, but would require physical access. Do a google search for "network tap". NetOptics sells a full range of them.

Switch span/mirror ports also allow data packet sniffing without a MAC address.
Firewalls and most managed switches have a 'debug' function that allows packet capture. Hence, imho, the PCI need for these to be secured.

And of course, an in-line device that mimics the MAC of the 'true' device interface is not going to be detectable with MAC filtering.

The physical and or logical controls are the overall protection, while MAC filtering works in some scenarios, not those where physical access is not well managed.