PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1281 Published

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or unauthorized substitution of POI devices that capture payment card data via direct interaction with the payment card form factor.

These controls include:

  • Maintaining an inventory of deployed POI devices.
  • Periodic inspections for signs of tampering or substitution.
  • Training staff to recognize suspicious behavior and to report device alterations.

These requirements apply to deployed POI devices used for card-present transactions (e.g., swipe, dip, or tap). These requirements do not apply to manual PAN entry or COTS devices (e.g., keyboards, tablets, or phones), although similar protections are considered best practice.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.