WithPCI Logo
WithPCI.com

9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Defined Approach Testing Procedures

9.5.1.2.1.a Examine the entity's targeted risk analysis for the frequency of periodic POI device inspections and type of inspections performed to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1.

9.5.1.2.1.b Examine documented results of periodic device inspections and interview personnel to verify that the frequency and type of POI device inspections performed match what is defined in the entity's targeted risk analysis conducted for this requirement.

Customized Approach Objective

POI devices are inspected at a frequency that addresses the entity's risk.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Purpose

Entities are best placed to determine the frequency of POI device inspections based on the environment in which the device operates.

Good Practice

The frequency of inspections will depend on factors such as the location of a device and whether the device is attended or unattended. For example, devices left in public areas without supervision by the organization's personnel might have more frequent inspections than devices kept in secure areas or supervised when accessible to the public. In addition, many POI vendors include guidance in their user documentation about how often POI devices should be checked, and for what – entities should consult their vendors' documentation and incorporate those recommendations into their periodic inspections.

purpose

Train personnel to be aware of POI device tampering and substitution threats.

compliance strategies

  • Annual security awareness training
  • Tampering response drills

typical policies

  • POI Device Security Training Policy

common pitfalls

  • No training records
  • Staff unaware of tampering signs

type

Training/Process Control

difficulty

Low

key risks

  • Delayed detection of tampering

recommendations

  • Include device security in onboarding training

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy