I'm concerned about physical security of compliance-related systems, and I'm having a hard time finding information...
about the proper way to secure physical keys that open locked drawers to point-of-sale systems. Would it be PCI compliant to just hide keys around my desk or have them lying out rather than have them in a key safe or other secure measure? What are the PCI compliance requirements regarding physical point-of-sale security?
PCI DSS does not directly address the keys used to lock cash drawers in POS systems. If you really want to leave the keys lying around on your desk, you're probably not violating PCI DSS unless you're actually storing credit card numbers in those drawers (which you should not be doing anyway). That said, you should use good security practices, such as a safe, to protect the keys to drawers full of cash.
PCI DSS contains some provisions around physical point-of-sale security. Terminals are often in locations where it is difficult to provide strong physical security, such as at the front of retail stores. The standard requires that merchants take steps to prevent devices from tampering, such as the installation of key loggers and skimmers that could steal payment card transaction data.
Merchants with POS systems must maintain a detailed inventory of those systems, including the make, model, location and serial number of each device used to capture payment card data. They must also periodically inspect devices for signs of tampering or unauthorized replacement. Finally, merchants must train staff on proper physical point-of-sale security procedures for POS terminals.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.