9.5 Point of interaction (POI) devices are protected from tampering and unauthorized substitution.

This requirement focuses on protecting point of interaction (POI) devices from tampering and unauthorized substitution to prevent criminals from stealing payment card data through manipulated or fraudulent card-reading devices and terminals.

Sub-requirements:

9.5.1.1
9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
9.5.1 POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
9.5.1.3

9.5. Point-of-interaction (POI) devices are protected from tampering and substitution.

Ensure that all POI devices are inventoried, inspected, and protected from tampering or substitution to prevent card skimming or data theft.

https://WithPCI.com

Sub-requirements

Test Points

Low-Moderate (2.2)

Implementation Difficulty

Control Types

Documentation

Process

Training

Physical

Documentation: 1

Process: 5

Training: 1

Physical: 1

Key Risks

POI device tampering

Device substitution or skimming

Unmonitored or uninspected devices

Frequently Asked Questions

What is a POI device?

A point-of-interaction device is any device that captures payment card data via direct physical interaction with the card.

How are POI devices protected?

By maintaining an inventory, conducting regular inspections, and training personnel to detect tampering.

How often should POI devices be inspected?

At least daily, or as defined by risk and business practices.

What should staff do if tampering is suspected?

Report the incident immediately and follow incident response procedures.

How are new or replacement POI devices managed?

They are logged, inspected, and tracked in the device inventory.

Common QSA Questions

Can you show your POI device inventory and inspection records?

Yes, we maintain logs of all POI devices and inspection activities.

How are staff trained to detect POI device tampering?

Through regular security awareness training and documented procedures.

What is your process for responding to POI device tampering or substitution?

We have an incident response plan that includes immediate isolation, investigation, and reporting of suspected tampering.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.