E-Commerce

PCI DSS P2PE-Compliant Device Standard

Last modified 11/20/2024

Purpose

The purpose of this standard is to establish secure and compliant guidelines for managing validated PCI-listed Point-to-Point Encryption1 (P2PE) solutions. Point of interaction (POI) devices1 process extremely sensitive cardholder data (CHD) and are a prime target for attackers, as the processing of cardholder data creates a significant business-critical exposure, and compromised cardholder data is easily monetized by attackers.

By implementing this standard, the University seeks to ensure compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and mitigate risks posed by utilizing physical POI devices on campus. This approach balances providing effective guidance for managing POI devices while allowing University units freedom to maintain individual processes and procedures.

Scope

This standard applies to all University-managed point of interaction devices ("devices"), support teams, and merchant units within the scope of the Point-to-Point Encryption (P2PE) Self Assessment Questionnaire (SAQ)2, including laptops, desktops, dedicated payment card terminals, and other validated PCI-listed P2PE solutions. This standard exclusively applies to devices, support teams, and merchant units governed by the Payment Card Industry Data Security Standard.

Standard

Devices, support teams, and merchant units must maintain and follow documented processes, procedures, and/or configurations in accordance with the following criteria:

  1. Support teams, devices, and merchant units must be compliant with the latest version of the PCI DSS P2PE Standard.
  2. Support teams must maintain an up-to-date list of devices ("inventory") including device make and model, device location, device serial number, and attached University network port identifiers.
  3. Support teams must inspect devices at least quarterly and upon receipt of a merchant unit report. Inspection results must be electronically documented in the University ticketing system.
  4. Support team inspections must include at a minimum:
    1. Identifying any unexpected attachments or cables leading to or from the device.
    2. Verifying the integrity and readability of all University and service provider labels.
    3. Inspecting devices for signs of tampering such as broken or compromised casing.
    4. Verifying the accuracy of all inventoried fields including device make and model, device location, device serial number, and attached University network port identifiers.
    5. Checking for card skimmers1 at all card interaction points (magnetic stripe "swipe" readers, chip reader "dip" ports, near field communication "tap" readers).
    6. Reporting indicators of compromise or other concerns identified during inspection to the Payment Card Support team3.
  5. Merchants using devices in scope of this standard must incorporate the following into staff training:
    1. Verifying the identity of any persons before granting access to modify or troubleshoot devices.
    2. Ensuring devices are not installed, replaced, or returned without verification.
    3. Monitoring for suspicious behavior around or directly with devices.
    4. Reporting suspicious behavior and indications of device tampering or substitution to support teams.
  6. Devices shall not be assigned a public IP address.
  7. Devices shall only be connected to the University network where network segmentation is configured to limit connectivity to the Internet and only necessary internal systems.
  8. Devices must be maintained with the latest available firmware and software versions installed as released by the device's service provider.
  9. Device administrator access, including administrative passwords, must be exclusively used by support teams.
  10. Devices must be exclusively operated by University faculty/staff.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain devices or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to Payment Card Support through the university’s ticketing system or by emailing paymentcardsupport@ilstu.edu. Each request must include:

  • The information technology team and functional business units associated with the exception request
  • POI device identifiers affected by the exception
  • A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

Payment Card Support, Information Security Office, and the E-Commerce Committee will mutually review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

  1. Payment card industry (PCI) definitions are maintained by the PCI Security Standards Council (SSC) at the PCI SSC website Glossary including Payment Cards, Payment Card Industry Data Security Standard (PCI DSS), Point of Interaction (POI), Point-to-Point Encryption (P2PE), Self Assessment Questionnaire (SAQ), and more.
  2. P2PE SAQ: The PCI SSC reporting tool used to document self-assessment results from an entity’s PCI DSS assessment - specific to PCI-validated Point-to-Point Encryption (P2PE) solutions. The P2PE self-assessment document is maintained by the PCI SSC.
  3. Payment Card Support: The cross-functional support team for PCI DSS and payment card devices. You may contact a team member directly, submit a ticket to Payment Card Support, or email paymentcardsupport@ilstu.edu. 

Supporting References

The following information provides supporting references that informed the development of this standard:

https://policy.illinoisstate.edu/technology/9-8/

https://policy.illinoisstate.edu/fiscal/cashier/7-5-2/

https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4-0-SAQ-P2PE.pdf

https://www.pcisecuritystandards.org/glossary/

https://campusguard.com/post/pci-dss-v4-0-device-inspections/

PCI DSS Guidance

Illinois State University complies with the PCI DSS framework to ensure our cybersecurity measures effectively meet compliance and mitigate risks associated with payment card processing. PCI DSS P2PE requirements relevant to this standard are documented here.

9.1.1 All security policies and operational procedures that are identified in Requirement 9 are Documented, Kept up to date, In use, and Known to all affected parties.

9.5.1 POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: Maintaining a list of POI devices, Periodically inspecting POI devices to look for tampering or unauthorized substitution, and Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.

9.5.1.1 An up-to-date list of POI devices is maintained, including Make and model of the device, Location of device, and Device serial number or other methods of unique identification.

9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.

9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:

  • Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices.
  • Procedures to ensure devices are not installed, replaced, or returned without verification.
  • Being aware of suspicious behavior around devices.
  • Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel.