Diff: FAQ #1281
Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?
Earlier Version
2020-03-20 00:00:00 UTC
2020-03-20 00:00:00 UTC
Later Version
2025-06-11 14:57:47 UTC
2025-06-11 14:57:47 UTC
Removed
Added
No,. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.9 does not 5.1 require devices to controls to detect and prevent tampering or unauthorized sube fixed in place or physically attached to a surface. Requirement 9.9 and its three sub-requirements address three areas of device securitystitution of POI devices that capture payment card data via direct interaction with the payment card form factor.
These controls include:
Maintaining anup-to-date list of devicesinventory of deployed POI devices.
Periodically inspectin inspections for sig devices to detectns of tampering or replacement, andsubstitution.
ProvidTraining traininstaff to recog for personnel tonize suspicious be aware of suspicious behavior and detect attempts to tamper with or replace deviceshavior and to report device alterations.
Note that RThese requirement 9.9 applies only to card-reading devices (that is, where the card is physically swiped or dipped) at the point of sale. The requirement is also recommended, but is not required, for manual key-entry components such as computer keyboards ans apply to deployed POI devices used for card-present transactions (e.g., swipe, dip, or tap). These requirements do not apply to manual PAN entry or COTS devices (e.g., keypads.boards, tablets, or phones), although similar protections are considered best practice.
These controls include:
Maintaining an
Periodic