POI device handling – PCI DSS-Requirements for Merchants

Having received a number of enquiries, we will now once again summarise the requirements for POI device handling by merchants. Version 3.0 of PCI DSS had already introduced Requirement 9.9, with the requirements being mandatory from the 1 July 2015. In version 3.1, textual revisions have been undertaken, that do not, however, define any new requirements.

As POI devices are susceptible to potential risks through manipulation, the addition of extra components (skimming), or to substitution by a modified POI, Requirement 9.9 specifies concrete testing requirements for the merchant. The merchant is required to implement the necessary procedures from 1 July 2015 onwards.

In particular, in Requirement 9.9 the following requirements concerning POI device handling are made of the merchant:

Keeping a list of devices (Requirement 9.9.1)

It is obligatory for the merchant to keep an up-to-date list of all POI devices in use by them. This list must be continually updated (substitutions, new acquisitions, relocation of POI etc.) and must contain, as a minimum, the following information:

  1. Model and description of the POI device (e.g. Verifone Vx820, Ingenico iPP350)
  2. A clear identification of the POI device, e.g., by the serial number
  3. Precise information as to where the POI device is installed (e.g., the address of the branch or company or, in the case of mobile devices, the responsible person that has possession of the device).

This list can be maintained manually or automatically, for example, using a terminal management system.

Regular checks for manipulation or substitution (Requirement 9.9.2)

For these regular checks, there must be written instructions specifying how a device is to be checked, who is responsible for this, and at what intervals the checks should be carried out. The method for checking for compromises will depend on the type of device in question and can be carried out, for example, in the following ways:

  • Checking the seal (frequently already attached by the manufacturer, or else by individual merchants using their own seals or labels)
  • Comparing the POI device to a photo of the original POI to reveal any differences in its construction (e.g., caused by substitution) or any attached skimming components
  • Comparing the serial numbers.

It is the duty of the merchant to specify the intervals between inspections. This must be done as part of their yearly risk assessment in accordance with PCI DSS Requirement 12.2, also taking into account, amongst other things, factors such as the location of the device and whether it is an attended/unattended POI.

Staff training (Requirement 9.9.3)

Appropriate training materials and training sessions should be used to raise staff awareness and make any manipulation or substituting of devices more difficult. In these, at the very least, the following points should deal with:

  1. Identification of third parties (e.g., maintenance engineers) that wish to service POI devices or substitute them before any such person is given access to the POI
  2. Installation, substitution or return of a device only after checking that this has been planned and approved
  3. Suspicious actions by strangers near to or directly at the device

Criminals frequently try to pass themselves off as maintenance engineers to compromise the POI device or to substitute it. In such cases, staff should check that a repair or substitution is actually supposed to be taking place with the manager in charge or with the maintenance company. Another variation used when a POI device is sent to the merchant to be substituted, while at the same time instructions for returning the original terminal free of charge are enclosed. In this way, the criminals acquire a fully functional, operational POI device that they can then analyse and compromise.

We would also like to take this opportunity to refer you to the highly informative document on the topic of skimming on the PCI Council website (externernal link to document).