Keeping a List of Card-Reading Devices
If your organization utilizes devices that physically interact with cardholder data (card-reading devices), PCI Requirement 9.9.1 requires that you maintain an up-to-date list of devices. This list should be updated whenever devices are added, relocated, decommissioned, etc. This list should include:
- Make and model of a device
- Location of a device
- Serial number of a device or other unique identification
The maintenance of this list could be automated (a device-management system) or manual (electronic or paper records), but all of the information above needs to be listed. This requirement wants you to maintain an up-to-date list of devices to help your organization keep track of where devices are supposed to be. If a device is missing, this list will quickly identify that.
An assessor will most likely take a sample from your list of card-reading devices and attempt to find them based off the information that the list gives them. Assessors may also have members of your staff participate in this exercise to ensure PCI Requirement 9.9.1 is implemented.
Wherever you have a device that physically interacts with cardholder data, PCI Requirement 9.9.1 requires that you maintain a list of these devices. This list is inclusive of several things, the make, the model, and the description of where it’s at, what it looks like – all things to help identify where these devices are and what they are. Your assessor is going to be asking you for that list of any devices that physically interact with cardholder data and looking to see whether you have that unique identifier, like a serial number or something that makes it unique to that particular asset. For this requirement, maintain the list. In subsequent requirements, we’ll talk about the assessment activities around that particular list.