1. PCI Device Inspections
Student Business Services

2. PCI Requirement – effective April 2016
New to Version 3 of the Payment Card Industry Data Security Standard – Requirement 9.9: Restrict Physical Access to Cardholder Data
“Are the devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution…?”
Note: This requirement applies to card-reading devices used in card present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key entry components such as computer keyboards and POS keypads.

3. Requirement Details
Maintain policies and procedures regarding requirements for device inspections and inventory.
Maintain a device inventory.
Document changes to device inventory.
Periodically inspect devices for physical tampering or substitution.
Train personnel to be aware of attempted tampering or replacement of devices.

4. Maintain Policies and Procedures…
UPPS states that Texas State University will comply with the Payment Card Industry Data Security Standard (PCI DSS) including its evolving standards and practices.
We will be implementing the device inspection requirement as a monthly task.

5. Maintain a Device Inventory
SBS will provide you with a form that will serve as an inspection log and a device inventory.
You may add lines to the Word document as needed.
The inventory must include:
Make & Model (terminals & pin pads)
The serial # (S/N) – usually located on a sticker on the bottom of the device
Location (example: admin desk, or cashier’s office)

6. Document Changes to Device Inventory
Document on the inspection log when a terminal is replaced.
Include date of replacement.
Include make/model, serial number, and location of the terminal that is returned or broken.
Include make/model and serial number of the new terminal for that location.
Note if a device is simply relocated.

7. Periodically Inspect the Devices
Inspect the following on each device, once a month:
The serial # should be the same each time you inspect the device, unless otherwise noted.
The card readers (the swipe area or dip area for EMV cards) do not have anything inserted or blocking the area, and do not show signs of damage.
The cords are the same, and do not have additional adaptors added to the connectors. Cords should be the same, unless otherwise noted.
The tamper stickers should be in place and undamaged. Note if the sticker is peeling due to handling by staff.

8. Inspection Results
Mark each item as “OK” on the log, if everything looks fine.
If you see damage or other issues, note on the log and contact SBS for further instructions.
If a terminal’s serial number is different and is not otherwise noted on the log, discontinue use and contact SBS immediately!
Call

9. Additional Tamper Detection Tactics:
Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
Never leave your devices un-attended.
Do not allow third-party persons, claiming to be repair or maintenance personnel, access to the devices, unless you have received notification from SBS.
Do not give third party callers information regarding your device. No one should call you about your devices, we will call them!

10. Know Your Stuff:
Educate ALL staff on the appropriate handling of your credit card devices.
Educate ALL staff to be aware of unauthorized access attempts from people outside the department or outside of SBS.
Know your terminal – be familiar with its physical appearance and functionality.
Know your staff – educate them and make sure they are FOLLOWING the outlined procedures.

11. Thank You!
Please take a few moments to review the PCI DSS skimming prevention guidance.
…for being diligent in keeping Texas State University a safe place to use credit cards!