9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.

Defined Approach Requirements

9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.

Defined Approach Testing Procedures

9.5.1.2.a Examine documented procedures to verify processes are defined for periodic inspections of POI device surfaces to detect tampering and unauthorized substitution.

9.5.1.2.b Interview responsible personnel and observe inspection processes to verify:

• Personnel are aware of procedures for inspecting devices.
• All devices are periodically inspected for evidence of tampering and unauthorized substitution.

Customized Approach Objective

Point of interaction devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection.

Purpose

Regular inspections of devices will help organizations detect tampering more quickly via external evidence—for example, the addition of a card skimmer—or replacement of a device, thereby minimizing the potential impact of using fraudulent devices.

Good Practice

Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device.

Examples

The type of inspection will depend on the device. For instance, photographs of devices known to be secure can be used to compare a device's current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also provide security guidance and "how to" guides to help determine whether the device has been subject to tampering.

Signs that a device might have been tampered with or substituted include:

• Unexpected attachments or cables plugged into the device.
• Missing or changed security labels.
• Broken or differently colored casing.
• Changes to the serial number or other external markings.

Sub-Requirements

• 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.