• caglararli@hotmail.com
  • 05386281520

How do payment facilitators like Stripe handle the PCI DSS requirement to periodically inspect POI devices?

Çağlar Arlı      -    60 Views

How do payment facilitators like Stripe handle the PCI DSS requirement to periodically inspect POI devices?

Payment facilitators like Stripe provide card payment terminals to their customers. These devices must be periodically inspected, per requirement 9.5.1.2. How does the payment facilitator handle this, given that they don't have physical access to the terminals? I can see two possibilities:

  1. The customer commits to performing the inspection on schedule as an agent of the payfac
  2. The payfac acts as a service provider and req. 9.5.1.2 is in the customer's part of the shared responsibility matrix - the customer in this case is required to ensure that they remain PCI DSS compliant.

Please ignore whether a customer is in reality likely to live up to its obligations - I'm really interested in what the terms and conditions specify regarding this requirement. Implementation is the next problem.

My research so far: it's been difficult to find anything that addresses this specifically. For example, in SumUp's T&Cs they say "you assume title, risk, and responsibility for all Third Party Materials, including hardware or equipment purchased from third parties." ('Third Party Materials' has previously been defined to include hardware such as payment terminals.) Regarding PCI DSS, they simply say that they are in compliance, without AFAICT explicitly requiring their customers to also be compliant.

Some more relevant information (such as the periodic procedures themselves) can be found at the PCI approved device list, for example this security policy for the WisePad Q. This is helpful as it reduces the scope to only installed/in-operation devices (and allows the payfac to just say "follow the manufacturer's security recommendations" to the customer), but doesn't quite answer my question about what payment facilitators tell their customers in practice.