Frequently Asked Question
How does PCI DSS apply to payment terminals?
Payment terminals (sometimes referred to as point-of-sales systems, point-of-interaction devices, or payment devices) are physical devices that capture payment card data to process transactions. Because these devices are directly involved in storing, processing and/or transmission of account data, they are part of an entity's cardholder data environment (CDE) and are in scope for PCI DSS.
The PCI DSS requirements applicable to these devices will vary depending on the type of device being used. For example, a more complex point-of-sale system with multiple applications and configuration options would require a greater number of PCI DSS controls than a simple payment terminal that has been locked down and secured by the manufacturer, or one that is connected via a dial-out phone line rather than connecting to a data network.
Merchants should ensure that they are managing their devices per the applicable PCI DSS requirements — for example, PCI DSS v4.0 Requirement 9.5 — and that any account data output from the device is suitably protected. Merchants should review the vendor documentation for their payment device to understand if the device needs additional configuration to meet PCI DSS requirements. For example, if the device is configured to output account data in clear text, the merchant will need to implement their own encryption before sending the data over the Internet.
Payment devices must also be reviewed during a PCI DSS assessment to confirm that they are configured properly and that the security functions and settings have not been disabled. For example, the assessor would verify that the terminal has not been configured by the merchant to store sensitive authentication data after authorization.
While PCI DSS does not specify the types of payment devices to be used, some payment brands require the use of PTS-approved devices. Entities should contact the organization that manages their compliance program, such as acquirers, payment brands, or other entity directly for information about any such requirements. The list of PTS-approved devices can be found on the PCI SSC website under 'Products & Solutions Listings'.
See also the following related FAQ:
FAQ 1301: How should payment terminals be considered during a PCI DSS assessment?
Originally published: August 2014
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
-
Does PCI SSC provide a list of PCI DSS-compliant third-party service providers?
-
How does encrypted cardholder data impact PCI DSS scope?
-
What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
-
Are Mobile Payments on COTS (MPoC)™ solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?