Frequently Asked Question
Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?
No. PCI DSS does not require that point-of-interaction (POI) devices be physically attached or fixed in place. However, Requirements under Requirement 9.5.1 require controls to detect and prevent tampering or unauthorized substitution of POI devices that capture payment card data via direct interaction with the payment card form factor.
These controls include:
- Maintaining an inventory of deployed POI devices.
- Periodic inspections for signs of tampering or substitution.
- Training staff to recognize suspicious behavior and to report device alterations.
These requirements apply to deployed POI devices used for card-present transactions (e.g., swipe, dip, or tap). These requirements do not apply to manual PAN entry or COTS devices (e.g., keyboards, tablets, or phones), although similar protections are considered best practice.
June 2025
Article Number: 1281
