Framework № PCI DSS 4.0 от 01.03.2022

9.5.1
Defined Approach Requirements: 
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:

Customized Approach Objective:
The entity has defined procedures to protect and manage point of interaction devices. Expectations, controls, and oversight for the management and protection of POI devices are defined and adhered to by affected personnel. 

Applicability Notes:
These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). 
This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards. This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards. 
This requirement does not apply to commercial offthe-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution. 

Defined Approach Testing Procedures:

Purpose:
riminals attempt to steal payment card data by stealing and/or manipulating card-reading devices and terminals. Criminals will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card data every time a card is entered. 
They will also try to add “skimming” components to the outside of devices, which are designed to capture payment card data before it enters the device—for example, by attaching an additional card reader on top of the legitimate card reader so that the payment card data is captured twice: once by the criminal’s component and then by the device’s legitimate component. In this way, transactions may still be completed without interruption while the criminal is “skimming” the payment card data during the process. 

Good Practice:
Additional best practices on skimming prevention are available on the PCI SSC website. 

9.5.1.1
Defined Approach Requirements: 
An up-to-date list of POI devices is maintained, including:

Customized Approach Objective:
The identity and location of POI devices is recorded and known at all times. 

Defined Approach Testing Procedures:

Purpose:
Keeping an up-to-date list of POI devices helps an organization track where devices are supposed to be and quickly identify if a device is missing or lost. 

Good Practice:
The method for maintaining a list of devices may be automated (for example, a devicemanagement system) or manual (for example, documented in electronic or paper records). For on-the-road devices, the location may include the name of the personnel to whom the device is assigned. 

Examples:
Methods to maintain device locations include identifying the address of the site or facility where the device is located. 

9.5.1.2
Defined Approach Requirements: 
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. 

Customized Approach Objective:
Point of Interaction Devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection. 
Defined Approach Testing Procedures:

Purpose:
Regular inspections of devices will help organizations detect tampering more quickly via external evidence—for example, the addition of a card skimmer—or replacement of a device, thereby minimizing the potential impact of using fraudulent devices. 

Good Practice:
Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device. 

Examples:
The type of inspection will depend on the device. For instance, photographs of devices known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also provide security guidance and “how to” guides to help determine whether the device has been subject to tampering. 
Signs that a device might have been tampered with or substituted include:

9.5.1.2.1
Defined Approach Requirements: 
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. 

Customized Approach Objective:
POI devices are inspected at a frequency that addresses the entity’s risk. 

Applicability Notes:
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
Entities are best placed to determine the frequency of POI device inspections based on the environment in which the device operates. 

Good Practice:
The frequency of inspections will depend on factors such as the location of a device and whether the device is attended or unattended. For example, devices left in public areas without supervision by the organization’s personnel might have more frequent inspections than devices kept in secure areas or supervised when accessible to the public. In addition, many POI vendors include guidance in their user documentation about how often POI devices should be checked, and for what – entities should consult their vendors’ documentation and incorporate those recommendations into their periodic inspections. 

9.5.1.3
Defined Approach Requirements: 
Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:

Customized Approach Objective:
Personnel are knowledgeable about the types of attacks against POI devices, the entity’s technical and procedural countermeasures, and can access assistance and guidance when required. 

Defined Approach Testing Procedures:

Purpose:
Criminals will often pose as authorized maintenance personnel to gain access to POI devices. 

Good Practice:
Personnel training should include being alert to and questioning anyone who shows up to do POI maintenance to ensure they are authorized and have a valid work order, including any agents, maintenance or repair personnel, technicians, service providers, or other third parties. All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POI maintenance company, such as the vendor or acquirer, for verification. Many criminals will try to fool personnel by dressing for the part (for example, carrying toolboxes and dressed in work apparel), and could also be knowledgeable about locations of devices, so personnel should be trained to always follow procedures. 
Another trick that criminals use is to send a “new” POI device with instructions for swapping it with a legitimate device and “returning” the legitimate device. The criminals may even provide return postage to their specified address. Therefore, personnel should always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business. 

Examples:
Suspicious behavior that personnel should be aware of includes attempts by unknown persons to unplug or open devices. 
Ensuring personnel are aware of mechanisms for reporting suspicious behavior and who to report such behavior to—for example, a manager or security officer—will help reduce the likelihood and potential impact of a device being tampered with or substituted.