9.5.1 POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
Defined Approach Requirements
9.5.1 POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:
- Maintaining a list of POI devices.
- Periodically inspecting POI devices to look for tampering or unauthorized substitution.
- Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.
Defined Approach Testing Procedures
9.5.1 Examine documented policies and procedures to verify that processes are defined that include all elements specified in this requirement.
Customized Approach Objective
The entity has defined procedures to protect and manage point-of-interaction devices. Expectations, controls, and oversight for the management and protection of POI devices are defined and adhered to by affected personnel.
Applicability Notes
These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped).
These requirements do not apply to:
- Components used only for manual PAN key entry.
- Commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Purpose
Criminals attempt to steal payment card data by stealing and/or manipulating card-reading devices and terminals. Criminals will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card data every time a card is entered.
They will also try to add "skimming" components to the outside of devices, which are designed to capture payment card data before it enters the device—for example, by attaching an additional card reader on top of the legitimate card reader so that the payment card data is captured twice: once by the criminal's component and then by the device's legitimate component. In this way, transactions may still be completed without interruption while the criminal is "skimming" the payment card data during the process.
Good Practice
Entities may consider implementing protection from tampering and unauthorized substitution for:
- Components used only for manual PAN key entry.
- Commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Further Information
Additional best practices on skimming prevention are available on the PCI SSC website.
Sub-Requirements
- 9.5.1.1 An up-to-date list of POI devices is maintained, including:
- 9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
- 9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:
purpose
Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
compliance strategies
- Physical locks
- Device monitoring
typical policies
- POI Device Security Policy
common pitfalls
- Unsecured devices
- No monitoring
type
Physical/Process Control
difficulty
Moderate
key risks
- Skimming, device substitution
recommendations
- Use PCI P2PE-validated devices
Eligible SAQ
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy