FAQ #1281 Diff
Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?
Earlier Version
Later Version
Removed
Added
No, PCI DSS Requirement 9.9 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.9 and its three sub-requirements address three areas of device security:
Maintaining an up-to-date list of devices
Periodically inspecting devices to detect tampering or replacement, and
Providing training for personnel to be aware of suspicious behavior and detect attempts to tamper with or replace devices
It shouldNote that Requirement 9.9 applies only to card-reading devices (that is, where the card is physically swiped or dipped) at the point of sale. The requirement is also be noted that Requirement 9.9 applies only to card-reading devices (that is, where the cardrecommended, but is physically swiped or dipped) at the point of sale. The requirement is also recommended, but is not required, for manual key-entry components such as computer keyboards and POS keypads.
Requirement 9.9 is a best practice until 30 June 2015, after which it becomes a requirement.
Maintaining an up-to-date list of devices
Periodically inspecting devices to detect tampering or replacement, and
Providing training for personnel to be aware of suspicious behavior and detect attempts to tamper with or replace devices
Requirement 9.9 is a best practice until 30 June 2015, after which it becomes a requirement.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.