Diff: FAQ #1281

Are point-of-sale devices required to be physically secured (e.g. with a cable or tether) to prevent removal or substitution in order to meet PCI DSS Requirement 9.9?

Earlier Version
2025-06-11 14:57:47 UTC

Later Version
2025-07-22 19:43:52 UTC

Removed

Added

No., PCI DSS does not rRequire that pointment 9.5 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.5 and its three sub-ofrequirements address three areas of device security:

  Maintaining an up-interaction (to-date list of POI) devices ,

  Periodically inspecting POI devices to detect tampering and unauthorized sube physically attached or fixed in placestitution, and

  Providing training for personnel in POI environments to be aware of attempted tampering or replacement of POI devices. However, Requirements under

Note that Requirement 9.5.1 require controls to detect and prevent tampering or unauthorized substitution of applies only to deployed POI devices that capture payment card data via direct interaction used in card-present transactions (that is, a payment card form factor such as a card that is swith the payment card form factor.

These controls include:

  Maintaining an inventory of deployed POI devices.

  Periodic inspections for signs of tampering or substitution.

  Training staff to recognize suspicious behavior and to report device alterations.

These requirements apply to deployed POI devices used for card-present transactions (e.g.ped, swipetapped, dip, or tapor dipped). 

These requirements do not apply to, but are recommended best practices for:

  Components used only for manual PAN entry or key entry.

  Commercial off-the-shelf (COTS) devices (e.g.for example, keysmartphones or taboards, tablets, or phonelets), althouwhich are mobile merchant-owned devices desigh similar protections are considered ned for mass-market distribest practiceution.