Frequently Asked Questions

< Back to search page

How does PCI DSS apply to payment terminals?

FAQ Response

Payment terminals (sometimes referred to as point-of-sales systems, point-of-interaction devices or payment devices) are physical devices that capture payment card data to process transactions.  Because these devices are directly involved in storing, processing and/or transmission of account data, they are part of an entity’s cardholder data environment (CDE) and are in scope for PCI DSS.

The PCI DSS requirements applicable to these terminals will vary depending on the type of device being used. For example, a more complex point-of-sale system with multiple applications and configuration options would require a greater number of PCI DSS controls than a simple payment terminal that has been locked down and secured by the manufacturer, or one that is connected via a dial-out phone line rather than connecting to a data network. 
Merchants should ensure that they are managing their devices per the applicable PCI DSS requirements – for example, Requirement 9.9 – and that any account data output from the device is suitably protected.   Merchants may need to review the vendor documentation for their payment device to understand if the device needs additional configuration to meet PCI DSS requirements.  For example, if the device is configured to output account data in clear-text, the merchant will need to implement their own encryption before sending the data over the Internet.

Payment devices must also be reviewed during a PCI DSS assessment to confirm that they are configured properly and that the security functions and settings have not been disabled.  For example, the assessor would verify that the terminal has not been configured by the merchant to store sensitive authentication data after authorization.

While PCI DSS does not specify the types of payment terminals to be used, some payment brands require the use of PTS-approved devices. Entities should contact their acquirer or the payment brands directly for information about any such requirements. The list of PTS-approved devices can be found here.

August 2014
Article Number 1300