FIN 2.10.04 Security of Payment Device Hardware
Purpose
These procedures are to protect the City’s inventory of payment card device hardware and to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS) requirement to restrict physical access to hardware that collects cardholder data. These procedures describe the requirements to maintain an inventory of and periodically inspect payment card devices to guard against tampering and/or unauthorized substitution. These procedures help City bureaus comply with the requirements of FIN 2.10 Electronic Payment Processing Services.
Scope
These procedures pertain to all payment card device hardware in use throughout the City, whether procured through Treasury from the City’s merchant bank or from a vendor as part of an electronic payment application that has been pre-approved by the City Treasurer.
Bureaus are responsible for implementing and complying with the following procedures for all device hardware issued to and in use in their respective bureaus.
Inventory of Payment Card Devices
- Maintain a current inventory of all hardware in the bureau. Inventory should track the equipment type and model number (e.g., Ingenico ICT250), S/N# which is a unique alphanumeric identifier on the bottom of the device, connectivity method (e.g. wireless, dial-up, IP/Ethernet), and assigned bureau user, location and workstation.
- Maintain inventory logs at the BTS/eGov website: Device Inventory
Note: Inventory logs are reviewed as part of the City’s annual PCI audit.
Security of Payment Card Devices
- Ensure no hardware is left unattended where such devices could be tampered with and/or stolen. Mount devices securely to the customer counter. Store all spare hardware in a secure location.
- Contact your supervisor and/or Treasury to have devices repaired, replaced, and/or securely disposed of. Do not allow access to non-City staff claiming to repair or replace devices.
Inspection of Payment Card Devices
1. Inspect all hardware at least quarterly. Track each device’s inspection dates, whether each device passed/failed inspection, and resolution for devices that did not pass inspection.
2. Validate electronic serial numbers with the serial number (S/N) printed on the terminal. This will detect substitution.
3. Inspect devices for tampering:
- Damaged or altered tamper seals, wiring, or labels
- Mismatched keypad keys
- False keypad overlay
- External wires, other than the USB/power cable installed into the device
- Missing screws or visible scratching around the screws that hold the pin pad case
- Tinfoil or other metallic material or electronic device placed in the card scanning area
- Holes in the terminal or anything else unusual
4. If a device fails inspection, immediately stop using it and notify your supervisor.
5. Report devices that consistently do not work properly. High card decline rate or mag-stripe read failures can be indicators of tampered devices.
Note: Inspection logs are reviewed as part of the City’s annual PCI audit.
Related Policy
CFMP FIN 2.10 Electronic Payment Processing Services
Authority
In accordance with FIN 2.02 Comprehensive Financial Management Policies Overview, the City Treasurer is authorized to develop and implement procedures in support of the CFMP.
History
Adopted by the City Treasurer, February 3, 2016.