Purpose:
This knowledge base article will offer guidance on performing physical inspections of point-of-sale credit card terminals and help departments comply with the PCI-DSS (Payment Card Industry Data Security Standard) device requirements. Please apply this information to your department's unique situation and modify the procedures accordingly. The guidance provided below is a beginning point for you to create and develop your inspection protocols.
Bluefin provides both a point of sale terminal inspection attestation log and device inventory log within their P2PE Manager Portal to assist merchant account owners in maintaining PCI-DSS compliance.
Device Maintenance and Replacement
All device maintenance and replacement is coordinated through the Merchant & Cashiering Services team. Do not install, replace or return any point-of-sale terminal without receiving prior authorization to do so.
There will be no onsite maintenance, update or replacement of your point-of-sale terminal by any outside entity. Any person claiming to be a technician who requests access to your point-of-sale terminal should be denied access to the device.
Train staff to be aware of suspicious behavior around the point-of-sale terminal. Examples of such behavior include attempts by unknown persons to unplug or open a device. Report any suspicious behavior or indications of device tampering or substitution (in the event of a failed physical inspection) to the PCI-DSS team by opening a PCI-DSS support ticket.
Point of Sale Terminal Inspection Example:
This is an inspection example for the commonly used PAX A80 P2PE terminal. In the event your department is using a different point of sale device, please refer to the inspection procedures within the device's user manual. All device manuals can be downloaded from the "Documentation" section of the Bluefin P2PE Manager portal. However, several manuals for commonly used terminals can be downloaded from the attachment section of this knowledge base article. You may use the information below as a general guide to inspect any point of sale terminal.
Device Inspection Attestations
Once an inspection has been completed, it should be noted in the "Attestations" section of the Bluefin P2PE Manager portal. Attesting to the inspection will log the inspection result for future reporting purposes. The attestation frequency is defaulted to an annual occurence. At minimum, departments are required to inspect their devices on a quarterly basis. However, departments who process a high volume of transactions through their point of sale machine should update the attestation frequency to a recurring monthly schedule.
The Bluefin video below covers the following topics:
- Attestation email notifications.
- How to navigate and access the attestation screen.
- How to complete the attestation.
- How to update the attestation frequency.
Maintaining an Up-To-Date Device Log & Storing Your Terminal
The PCI-DSS (Payment Card Industry Data Security Standard) requires merchant to maintain an up to date device inventory log at all times. To comply with this requirement departments should update the device log within the P2PE Manager whenever their terminal is relocated, replaced or inactivated.
Point of sale terminals should be stored in a locked safe when not in use. Terminals should not be left out in the open at the end of day and should be secured within a safe overnight. Do not hide the terminal in a desk drawer. The only acceptable place to store the terminal is within a safe.
Supplemental Device Inspection Resources
Skimming Prevention: Best Practice for Merchants
Skimming Prevention: Overview of Best Practices for Merchants
Questions or Concerns?
Please open a PCI-DSS (Payment Card Industry Data Security Standard) or Credit Card Security Support Request with any questions or concerns regarding the information presented in this Knowledge Base article.