Achieving PCI DSS compliance involves implementing security controls across all hardware and software, including payment terminals that process card transactions. These terminals must be inventoried, regularly inspected, and supported by trained staff.
Is your organization ready for your next PCI assessment? Request a consultation to find out!
PCI DSS Compliance and Payment Terminals
PCI DSS version 4.0 introduced updates to requirements for payment terminals, enhancing security for cardholder data (CHD) protection.. Knowing what the PCI Security Standards Council (SSC) envisions for secure terminals in 2024 means asking:
- How terminal inspections support PCI DSS compliance and overall payment security
- Which specific requirements and controls apply to payment terminals
- How to meet these and other components of PCI DSS compliance
Protecting cardholder data (CHD) consistently and maintaining DSS compliance efficiently is easiest when working with a quality PCI advisory and assessment partner like RSI Security.
Regulatory Context for PCI Terminal Protections
Terminal inspections are essential for securing points of interaction (POI) within PCI DSS compliance. The particular mandates for them fall under Requirement 9.5.1.2, which is a specification within a sub-requirement in the segment of the overall framework dedicated to access control.
Terminal inspections are one part of a larger whole, and that whole depends on all its parts working in concert. Below, we’ll touch on the overall scope of the DSS Requirements, along with assessments for all PCI Levels, and how to meet them all effectively for seamless compliance.
PCI DSS terminal specifications operate within a broader framework of physical access controls designed to protect CHD. These include awareness assurance about the importance of physical access control (9.1), physical and proximal restrictions around CHD (9.2), authorization and management for physical access (9.3), and secure storage for media related to CHD (9.4).
PCI DSS v4.0 Requirement 9.5, Explained
Requirement 9.5 in PCI DSS v4.0 replaces Requirement 9.9 from earlier versions, emphasizing the need to secure POI devices against tampering and unauthorized replacement. It is the umbrella under which terminal inspection rules fall, and it calls for POI devices to be “protected from tampering and unauthorized substitution.” Its first and only top-level specification, 9.5.1, notes that the Requirement exists to prevent theft of CHD via stolen or manipulated terminals, which often happens via multi-staged attacks. Cybercriminals may steal or tamper with legitimate POI devices, replacing them with fraudulent devices to intercept and steal cardholder data. If any part of your organization has POI in place, these specifications secure them.
Requirement 9.5.1 also outlines what will be mandated in specifications 9.5.1.1, 9.5.1.2, and 9.5.1.3—inventory, inspections, and assurances for staff-wide security awareness (see below).
Requirement 9.5.1.1: Inventory Specifications
Requirement 9.5.1.1 mandates maintaining an accurate, up-to-date inventory of all POI terminals that process, store, or handle CHD. The list must include:
- The makes and models of all devices
- The location of all devices
- The serial numbers of the devices
- (Or equivalent identifiers)
The Defined Approach Testing Requirements include scanning the list to verify that devices are being represented accurately and interviewing personnel to confirm that it is kept up-to-date.
Although this requirement does not apply to card-not-present devices, the SSC recommends inventorying them to strengthen overall security. In addition, the SSC recommends providing additional context where possible (i.e., specifying people or units that utilize the device or others in its proximity alongside its actual location).
Requirement 9.5.1.2: Periodic Terminal Inspections
Requirement 9.5.1.2 mandates periodic inspections of POI devices to detect tampering and unauthorized replacements. Testing Procedures to determine if this requirement is met include verifying that there are protocols specified for periodic inspections and interviewing personnel to determine whether (and how well) those processes are being implemented in practice.
Further specifications within 9.5.1.2 provide additional requirements for exactly how often inspections need to be conducted—with reference back to other PCI Requirements. Namely, risk assessments implemented per Requirement 12.3.1 will determine appropriate intervals for terminal inspections. Devices with high public exposure or usage require more frequent inspections, while those with limited access may need fewer checks.
In other words, there’s no single interval that all organizations need to follow. It’s highly customizable to the specific needs and means of your cardholder data environment (CDE).
Requirement 9.5.1.3: Security Awareness Assurance
Requirement 9.5.1.3 mandates training all personnel working in POI environments to recognize and respond to security risks. Staff need to know to (and how to) verify the identities of third-party persons who claim to be repair or maintenance workers before granting them access to POI environments. All POI device maintenance must be verified, and staff should monitor for signs of suspicious or unauthorized activity. They also need to report on said observations appropriately and swiftly.
In terms of Testing Procedures, these points of awareness are assessed via review of training materials and interviews with impacted personnel to determine preparedness and vigilance.
How to Meet All PCI DSS Requirements Seamlessly
Obtaining and maintaining PCI compliance means implementing all Requirements and then conducting self- or third-party assessments at yearly intervals. Requirement 9.5.1.2 is one of many specifications within the 12 PCI DSS Requirements that organizations must address.
For reference, this is how the Requirements break down:
- Build and Maintain a Secure Network and Systems
-
-
- Requirement 1: Installing and Maintaining Network Security Controls
- Requirement 2: Applying Secure Configurations to System Components
-
- Protect Sensitive Account Data
-
-
- Requirement 3: Protecting Account Data in Storage
- Requirement 4: Encrypting CHD for Transmission over Networks
-
- Maintain Vulnerability Management
-
-
- Requirement 5: Protecting Systems from Malicious Software
- Requirement 6: Developing and Maintaining Secure Systems and Software
-
- Implement Access Control Measures
-
-
- Requirement 7: Restricting Access by Business Need to Know
- Requirement 8: Identifying and Authenticating for System Access
- Requirement 9: Restricting Physical Access to CHD Environments
-
- Monitor and Test Networks
-
-
- Requirement 10: Logging and Monitoring Access to Systems and CHD
- Requirement 11: Testing System and Network Security Regularly
-
- Maintain a Security Policy
-
- Requirement 12: Supporting Security with Policies and Programs
Once all controls are implemented, you’ll need to assess and ensure they’re effective.
In terms of paperwork, organizations with fewer annual transactions may qualify for a Self-Assessment Questionnaire (SAQ), but those with more volume will likely need third-party assistance by way of an Attestation of Compliance (AOC) or Report on Compliance (ROC).
Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) are the only SSC-vetted providers who can help organizations achieve and maintain PCI compliance.
Optimize Your Terminal Inspections and PCI Compliance
Ultimately, meeting the terminal inspection specifications for PCI DSS compliance means implementing all other controls across all of its Requirements. These directly impact your ability to meet Requirement 9.5.1.2, since it references Requirement 12.3.1. But even absent a direct connection, seamless compliance requires assessing for efficacy across all applicable controls.
RSI Security is a QSA, ASV, and trusted PCI partner to countless organizations. We’ll help you strategize, implement, maintain, and assess the controls you need to streamline compliance year after year. We believe that the right way is the only way to keep your systems secure.
To learn more about our PCI compliance solutions, contact RSI Security today!
Contact Us Now!