Frequently Asked Question

No, PCI DSS Requirement 9.9 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.9 and its three sub-requirements address three areas of device security:

1. Maintaining an up-to-date list of devices
2. Periodically inspecting devices to detect tampering or replacement, and
3. Providing training for personnel to be aware of suspicious behavior and detect attempts to tamper with or replace devices

Note that Requirement 9.9 applies only to card-reading devices (that is, where the card is physically swiped or dipped) at the point of sale. The requirement is also recommended, but is not required, for manual key-entry components such as computer keyboards and POS keypads.