PCI Watch

Tracking changes across the Payment Card Industry
FAQs » FAQ #1281 » Versions » Diff

FAQ #1281 Diff

Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?

Earlier Version
Later Version
Removed
Added
No.No, PCI DSS Requirement 9.5 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.5 and its three sub-requirements address three areas of device security:

Maintaining an up-to-date list of POI devices,
Periodically inspecting POI devices to detect tampering and unauthorized substitution, and
Providing training for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.

Note that point-of-interaction (POI) devices be physically attached or fixedRequirement 9.5 applies only to deployed POI devices used in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or unauthorized substitution of POI devicescard-present transactions (that is, a payment card form factor such as a card that capture payment card data via direct interaction with the payment card form factor.is swiped, tapped, or dipped).

These controls include:requirements do not apply to, but are recommended best practices for:

Maintaining an inventory of deployed POI devices.Components used only for manual PAN key entry.
Periodic inspectionsCommercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for signs of tampering or substitution.
Training staff to recognize suspicious behavior and to report device alterations.

These requirements apply to deployed POI devices used for card-present transactions (e.g., swipe, dip, or tap). These requirements do not apply to manual PAN entry or COTS devices (e.g., keyboards, tablets, or phones), although similar protections are considered best practice.mass-market distribution.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.