Frequently Asked Question
How does PCI DSS apply to payment terminals?
Payment terminals (sometimes referred to as point-of-sales systems, point-of-interaction devices, or payment devices) are physical devices that capture payment card data to process transactions. Because these devices are directly involved in storing, processing and/or transmission of account data, they are part of an entity’s cardholder data environment (CDE) and are in scope for PCI DSS.
The PCI DSS requirements applicable to these devices will vary depending on the type of device being used. For example, a more complex point-of-sale system with multiple applications and configuration options would require a greater number of PCI DSS controls than a simple payment terminal that has been locked down and secured by the manufacturer, or one that is connected via a dial-out phone line rather than connecting to a data network.
Merchants should ensure that they are managing their devices per the applicable PCI DSS requirements – for example, PCI DSS v4.0 Requirement 9.5 – and that any account data output from the device is suitably protected. Merchants should review the vendor documentation for their payment device to understand if the device needs additional configuration to meet PCI DSS requirements. For example, if the device is configured to output account data in clear text, the merchant will need to implement their own encryption before sending the data over the Internet.
Payment devices must also be reviewed during a PCI DSS assessment to confirm that they are configured properly and that the security functions and settings have not been disabled. For example, the assessor would verify that the terminal has not been configured by the merchant to store sensitive authentication data after authorization.
While PCI DSS does not specify the types of payment devices to be used, some payment brands require the use of PTS-approved devices. Entities should contact the organization that manages their compliance program, such as acquirers, payment brands, or other entity directly for information about any such requirements. The list of PTS-approved devices can be found on the PCI SSC website under “Products & Solutions Listings”.
See also the following related FAQ:
FAQ 1301: How should payment terminals be considered during a PCI DSS assessment?