FAQ #1281 Diff

Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?

Earlier Version
2020-03-20T00:00:00+00:00

Later Version
2025-06-11T14:57:47+00:00

Removed

Added

~~No,~~No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement ~~9.9 does not~~ 9.5.1 require ~~devices to be fixed in place or physically attached to a surface. Requirement 9.9~~controls to detect and ~~its three sub-requirements address three areas~~prevent tampering or unauthorized substitution of ~~device security:~~POI devices that capture payment card data via direct interaction with the payment card form factor.

These controls include:

Maintaining an ~~up-to-date list~~inventory of ~~devices~~deployed POI devices.
~~Periodically inspecting devices to detect~~Periodic inspections for signs of tampering or ~~replacement,~~substitution.
Training staff to recognize suspicious behavior and
~~Providing training~~ to report device alterations.

These requirements apply to deployed POI devices used for personnel to be aware of suspicious behavior and detect attempts to tamper with or replace devices

Note that Requirement 9.9 applies only to card-reading devices (that is, where the card is physically swiped or dipped) at the point of sale. The requirement is also recommended, but iscard-present transactions (e.g., swipe, dip, or tap). These requirements do not ~~required, for~~apply to manual ~~key-entry components such as computer keyboards and POS keypads.~~PAN entry or COTS devices (e.g., keyboards, tablets, or phones), although similar protections are considered best practice.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.