Protecting Cardholder Data
What is PCI PIN Security and why is it necessary?
The PCI Security Standards require that cardholder data (including PINs) are protected at any time. All entities that handle POS terminals (i.e., terminal distributors and manufacturers, PSPs, ISVs, and merchants) need to follow these standards. All entities need to have appropriate processes documented and in use. All involved personnel needs to be aware of the processes.
The document provides guidance only The official PCI Security Standards Council’s PIN Security Requirements will always remain the applicable rule.
Your duties related to procuring, shipping, storing, using, and managing payment terminal include the following.
Procuring and shipping terminals
- Terminals must be procured from legitimate sources only, e.g. directly from the manufacturer or from an authorized reseller. Otherwise they cannot be used on our platform. Payworks can make the necessary introductions for you.
- Terminals must only be shipped by companies that allow tracking of the shipments.
- Retain shipping documents for possible warranty and inspection issues.
- Before they are deployed, terminals must be stored in a secure place (e.g. locked cabinet or room) that can only be accessed by authorized personnel. Unauthorized individuals must not be able to access, modify, or substitute any stored terminals (see our sample list of authorized personnel).
- Access to the stored terminals needs to be defined, documented and controlled (see our sample storage facilities log).
- Entities storing card terminals must keep written records of all their terminals. They have to conduct regular inventory checks (at least every 6 months) and implement monitoring procedures to protect their terminals and detect lost or stolen terminals (see our sample inventory statement).
Using and managing terminals
- Before enabling merchants to use a POS terminal, providers must educate them and give them clear instructions on how to use and store the terminal. You can use our sample merchant guidelines for this.
- Providers must be available for merchants to deactivate manipulated, lost or stolen terminals.
Your merchants’ duties
- Before setting up or using a terminal, merchants must inspect it for possible manipulations.
- Merchants must not use a terminal if they suspect that it has been manipulated or replaced. They must notify their provider immediately, so that the terminal can be deactivated.
- Merchants must keep their terminals out of reach for unauthorized third parties and lock their terminals away at a secure place (e.g. locked cabinet or room), when they are not in use (e.g. outside of business hours).
- Merchants must keep written records of all their card terminals and need to regularly compare it to the terminals in their inventory (at least every 6 months). Discrepancies need to be raised with the provider.
- Merchants must notify their providers immediately about all lost, stolen or manipulated terminals, so that they can be deactivated.
- Merchants must not modify, manipulate or operate their terminals in any unauthorized manner.
How we help you
The following merchant guidance and sample documents are provided to help you set up your processes for protecting cardholder data by managing your payment terminals. For assistance, contact your Solution Consultant or Card Present Support.
The sample Merchant Guidelines contain a set of minimum guidelines about terminal handling that you must communicate to your merchant. You can use this document as a starting point and adjust the rules so that they fit your processes (as long as they provide at least the same level of security). You should refer to these rules in your terms and conditions.
List of authorized personnel
Use this sample List of Authorized Personnel to create a list of your team members or fulfillment provider has access to the terminals in your storage.
Terminal inventory statement
Use this sample Terminal Inventory Statement as a template for your inventory statement and to conduct your regular inventories.
Storage facilities log
Use this sample Storage Facilities Log to log and track access to your terminal storage facilities.
A merchant notifies me about a lost, stolen, or manipulated terminal. What do I need to do?
Deactivate the terminal in the Gateway Manager and detach it from the merchant. Notify Payworks Customer Support so we can remove the terminal from our gateway.
Does using your product ensure my PCI compliance status and that I do not have to worry about the security of my terminals?
No. Using our products does not guarantee your PCI compliance status.
However, using our products and guidelines can help you and your merchants become more secure and protected while deploying your PCI-DSS and PCI-PIN compliant products. We helps users and merchants manage terminals in a secure, PCI-compliant way by providing:
- Transparent documentation
- Merchant guidelines
- Sample documents
Terminal management and security remains the responsibility of the users and merchants.
In general, PCI DSS is intended for all entities involved in payment processing, including merchants (regardless of their size). The ultimate decision about whether a merchant has to validate its compliance and how is made by the respective payment schemes.
For more information about compliance, we encourages our users and merchants to contact their acquirer and PCI assessors.