E-Commerce

Physical Device Inspection Procedures

Last modified 4/10/2024

Overview

The purpose of this document is to create a written record of procedures followed to support various PCI requirements including 9.9.1 maintaining a device list, 9.9.2 inspecting devices to detect tampering or substitution, 2.4 maintaining an inventory of in-scope systems, 11.1 testing for wireless access points, and 12.3.4 maintaining accurate labeling.

Daily Merchant Inspection

Merchants are responsible for daily inspections of all E-Commerce equipment under their management. Malicious actors may attempt to tamper with or change out E-Commerce devices. Daily device inspections reduce each merchant's risk.

Merchants daily equipment inspections should include the following:

  • Verify that all PCI equipment labels are present and legible
    • Ask yourself: can identifying labels be easily read?
  • Confirm that PCI equipment is set up correctly
    • Ask yourself: is everything plugged in correctly? Are any extra devices plugged in?
  • Ensure that another device has not substituted the payment card terminals, virtual terminals, or Sophos REDs.
    • Ask yourself: does the device look different? Are the serial numbers or labels different from the original?
  • Check for signs of tampering (Card Skimmers, Stripped screws) on Payment Card Terminals, Virtual Terminals, and Sophos REDs
    • Ask yourself: does the device look damaged or altered?

Reporting Issues

If an employee determines that a device needs attention, you may report an issue by emailing paymentcardsupport@ilstu.edu, calling the Payment Card Support Line (309) 438-4727), or completing the Get IT Help form. When filling out the Get IT Help form, state that the Payment Card Support Team should be the assigned team to address the ticket in the 'Describe your request or issue' field.

E-Commerce Inspection

Every quarter, a member or designee of the E-Commerce Committee will perform an unannounced walkthrough of all PCI-compliant equipment.

During the walkthrough, the following will be completed:

  • Inventory verified as accurate
    • REDs
      • Short ID
      • Serial Number
      • Make/Model
      • MAC address
    • Terminals
      • Serial number
      • Make/Model
      • MID
      • TID
      • MAC address
    • Virtual Terminals
      • ISU Tag #
      • Make/Model
      • MAC Address
  • Each device has a valid, undamaged identifying label. Labels should have:
    • Identification of the device as a secure e-commerce device
    • Contact information for Payment Card Support
    • Identifying information for the device such as a tag number, serial number, or other ID number
  • Each device is in the correct documented location
  • No man-in-the-middle devices are between networked components
  • No unapproved devices (including wireless access points) are connected to any approved devices
  • Each device is sealed with no evidence of tampering