PCI PIN Security v3.1

PIN Security Requirements:
29-2 Implement a documented “chain of custody” to ensure that all devices are controlled from receipt to placement into service. The chain of custody must include records to identify responsible personnel for each interaction with the devices.
Note: Chain of custody includes procedures, as stated in Requirement 29- 1, that ensure that access to all POI devices and other SCDs is documented, defined, logged, and controlled such that unauthorized individuals cannot access, modify, or substitute any device without detection.
Testing Procedures:
29-2.a Examine documented processes to verify that the chain of custody is required for devices from receipt to placement into service.
29-2.b For a sample of devices, examine documented records and interview responsible personnel to verify the chain of custody is maintained from receipt to placement into service.
29-2.c Verify that the chain-of-custody records identify responsible personnel for each interaction with the device.