POS Device Inspection and Incident Reporting Instructions
At each merchant's discretion, a POS owner/department should develop a schedule and routine for device inspection that looks for tampering or substitution periodically. For the merchant departments implementing P2PE devices, periodical device inspection (PCI DSS Requirement 9.9) is one of the few tasks you still need to fulfill for PCI DSS.
Before your department is planning an inspection process, please compile and maintain a device inventory list:
The POS Device Inventory List should include:
- Make and model number
- Location and ownership (name of the supervisor) of device
- Serial number or other unique identifier
Each department/device owner can define how periodically to perform the inspection, according to the business needs and operational criticality. Please keep the inspection log available for audit, upon request. For your convenience, please feel free to download the sample of inspection log for you to use and reference.
For Clover P2PE Device, please refer to page 57 to Page 69 in the Clover P2PE Implementation Manual for inspection instruction, tamper monitoring, skimming prevention and encryption issue handling.
The Clover P2PE Implementation Manual (PIM) is available here.
If any suspicion is detected during the inspection, please follow page 63 - 64 for contacting Clover or email firstname.lastname@example.org or call 855-853-8340. You can also contact email@example.com.
For other devices, please contact the device distributors for detailed instructions. The rule of thumb is to check any overlays, wires, cutting, disassembly, addition, modification, scratches or tampering, no changes to the resistance when inserting or removing a card from the ICC slot. If any suspicion is detected during the inspection, please follow the manufacturer's manual instruction for reporting or contact firstname.lastname@example.org.
PCI DSS Compliance Annual Validation
Each merchant department using Clover P2PE device should fill out, at least, SAQ P2PE-HW form annually.
When FD400 or other dial-up POS devices are used, the merchant department should fill out, at least, SAQ B form annually.
For the merchant departments using multiple types of devices and other payment processing methods, please contact email@example.com for further consultation.
Other relevant references available in https://pcicompliance.stanford.edu:
Please refer to the PCI DSS 3.2.1 for 9.9.2 and 9.9.3 details.
Please refer to Skimming Prevention: Best Practices for Merchants.
Please refer to Stanford PCI Policy 24 Media Device Protection Policy.
For any further questions, please contact firstname.lastname@example.org.