Frequently Asked Question

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

No, PCI DSS Requirement 9.5 does not require devices to be fixed in place or physically attached to a surface. Requirement 9.5 and its three sub-requirements address three areas of device security:

Maintaining an up-to-date list of POI devices,
Periodically inspecting POI devices to detect tampering and unauthorized substitution, and
Providing training for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.

Note that Requirement 9.5 applies only to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped).

These requirements do not apply to, but are recommended best practices for:

Components used only for manual PAN key entry.
Commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.

July 2025

Article Number: 1281

Frequently Asked Question

Frequently Asked Question

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2024 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.

Frequently Asked Question

Are point-of-interaction devices required to be physically secured (for example, with a cable or tether) to prevent removal or substitution to meet PCI DSS Requirement 9.5?

Related

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated