Docs Illinois State

Physical Device Inspection Procedures


The purpose of this document is to create a written record of procedures followed to support various PCI requirements including 9.9.1 maintaining a device list, 9.9.2 inspecting devices to detect tampering or substitution, 2.4 maintaining an inventory of in-scope systems, 11.1 testing for wireless access points, and 12.3.4 maintaining accurate labeling.

Daily Merchant Inspection

Merchants are responsible for a daily inspections of all E-Commerce equipment under their management. Merchants are expected to inspect:

  • Payment card terminals, virtual terminals, and Sophos REDs (the white box devices, if present) for signs of tampering, such as a card skimmer or stripped screw heads
    • Ask yourself, does the device look damaged or altered?
  • Payment card terminals, virtual terminals, and Sophos REDs (the white box devices, if present) for signs of substitution, such as an incorrect serial number or different device characteristics
    • As yourself, does the device look like a different device than was last here?
  • Labels to ensure they are present and legible
    • Ask yourself, can identifying labels be easily read?
  • Devices are in the standard setup and configuration
    • Ask yourself, is everything plugged in correctly? Are any extra devices plugged in?

Reporting Issues

If an employee determines that a device needs attention during inspection, you may report an issue by completing the Report a Problem form, emailing, or calling 8-4PCS.

E-Commerce Inspection

Every quarter, a member or designee of the E-Commerce Committee will perform an unannounced walkthrough of all PCI-compliant equipment.

During the walkthrough, the following will be completed:

  • Inventory verified as accurate
    • REDs
      • Short ID
      • Serial Number
      • Make/Model
      • MAC address
    • Terminals
      • Serial number
      • Make/Model
      • MID
      • TID
      • MAC address
    • Virtual Terminals
      • ISU Tag #
      • Make/Model
      • MAC Address
  • Each device has a valid, undamaged identifying label. Labels should have:
    • Identification of the device as a secure e-commerce device
    • Contact information for Payment Card Support
    • Identifying information for the device such as a tag number, serial number, or other ID number
  • Each device is in the correct documented location
  • No man-in-the-middle devices are between networked components
  • No unapproved devices (including wireless access points) are connected to any approved devices
  • Each device is sealed with no evidence of tampering