Frequently Asked Question
How does PCI DSS apply to payment terminals?
Payment terminals (sometimes referred to as point-of-sales systems, point-of-interaction devices, or payment devices) are physical devices that capture payment card data to process transactions. Because these devices are directly involved in storing, processing and/or transmission of account data, they are part of an entity's cardholder data environment (CDE) and are in scope for PCI DSS.
The PCI DSS requirements applicable to these devices will vary depending on the type of device being used. For example, a more complex point-of-sale system with multiple applications and configuration options would require a greater number of PCI DSS controls than a simple payment terminal that has been locked down and secured by the manufacturer, or one that is connected via a dial-out phone line rather than connecting to a data network.
Merchants should ensure that they are managing their devices per the applicable PCI DSS requirements — for example, PCI DSS v4.0 Requirement 9.5 — and that any account data output from the device is suitably protected. Merchants should review the vendor documentation for their payment device to understand if the device needs additional configuration to meet PCI DSS requirements. For example, if the device is configured to output account data in clear text, the merchant will need to implement their own encryption before sending the data over the Internet.
Payment devices must also be reviewed during a PCI DSS assessment to confirm that they are configured properly and that the security functions and settings have not been disabled. For example, the assessor would verify that the terminal has not been configured by the merchant to store sensitive authentication data after authorization.
While PCI DSS does not specify the types of payment devices to be used, some payment brands require the use of PTS-approved devices. Entities should contact the organization that manages their compliance program, such as acquirers, payment brands, or other entity directly for information about any such requirements. The list of PTS-approved devices can be found on the PCI SSC website under 'Products & Solutions Listings'.
See also the following related FAQ:
FAQ 1301: How should payment terminals be considered during a PCI DSS assessment?
Related
-
What is the scope of a PCI DSS assessment for service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
-
Does PCI DSS apply to service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
-
Can service providers use eligibility criteria from a merchant Self-Assessment Questionnaire (SAQ) to determine applicable PCI DSS requirements for the service provider’s assessment?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What is the scope of a PCI DSS assessment for service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
-
Does PCI DSS apply to service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
-
Can service providers use eligibility criteria from a merchant Self-Assessment Questionnaire (SAQ) to determine applicable PCI DSS requirements for the service provider’s assessment?
-
What does “console access” mean for PCI DSS Requirements 8.4.1 and 8.4.2?
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
Most Recently Updated
-
How do I contact the payment card brands?
-
What is the scope of a PCI DSS assessment for service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
-
Does PCI DSS apply to service providers that can impact the security of payment account data, if the service provider does not directly store, process, or transmit payment account data?
-
Can service providers use eligibility criteria from a merchant Self-Assessment Questionnaire (SAQ) to determine applicable PCI DSS requirements for the service provider’s assessment?
-
Which version of the P2PE Standard should be used for a P2PE assessment?