6

Payment facilitators like Stripe provide card payment terminals to their customers. These devices must be periodically inspected, per requirement 9.5.1.2. How does the payment facilitator handle this, given that they don't have physical access to the terminals? I can see two possibilities:

  1. The customer commits to performing the inspection on schedule as an agent of the payfac
  2. The payfac acts as a service provider and req. 9.5.1.2 is in the customer's part of the shared responsibility matrix - the customer in this case is required to ensure that they remain PCI DSS compliant.

Please ignore whether a customer is in reality likely to live up to its obligations - I'm really interested in what the terms and conditions specify regarding this requirement. Implementation is the next problem.

My research so far: it's been difficult to find anything that addresses this specifically. For example, in SumUp's T&Cs they say "you assume title, risk, and responsibility for all Third Party Materials, including hardware or equipment purchased from third parties." ('Third Party Materials' has previously been defined to include hardware such as payment terminals.) Regarding PCI DSS, they simply say that they are in compliance, without AFAICT explicitly requiring their customers to also be compliant.

Some more relevant information (such as the periodic procedures themselves) can be found at the PCI approved device list, for example this security policy for the WisePad Q. This is helpful as it reduces the scope to only installed/in-operation devices (and allows the payfac to just say "follow the manufacturer's security recommendations" to the customer), but doesn't quite answer my question about what payment facilitators tell their customers in practice.

Improve this question
2
  • 1
    This page seems to talk about it being the responsibility of the owner/user of the devices, but – from a quick search – I've not found the actual clause to check this... perhaps edit it in to the question.
    – TripeHound
    Commented Jun 26 at 17:04
  • I've added some relevant information I've dug up to the question. Looking up the device vendor docs has satisfied me that all we need to do is add a clause to our contracts telling the customer to follow the vendor's security docs, but I am still intellectually curious about what the big players actually say about this (if anything).
    – aantia
    Commented Jun 27 at 10:07

1 Answer 1

Reset to default
3

The key thing to remember about PCI is that it's not a law, and that it's largely up to the payment provider to decide the extent to which they want to make their clients comply with it.

A provider (like Stripe) can say to their merchants that they don't have to meet specific requirements of PCI DSS. And if the merchant ends up losing cardholder data because of that, then Stripe will probably not be able to pass the fines they receive from the payment brands (Visa/Mastercard/etc) on to the merchant. And that's purely a business decision - if they think they make more money by attracting customers will less compliance requirements than they'll lose in fines then that's a business decision.

So the payment provider can either:

  • Require the merchant to regularly inspect the devices though their contract (either specifically, or by saying they need to comply with all the relevant requirements of PCI DSS).
  • Waive this requirement and accept the risk of fines if a device does get tampered with.

You should be able to find Stripe's T&Cs for merchants somewhere (or ask them) to find out which approach they take.

Improve this answer
1
  • Or provide automated inspection via tamper detection and tamper resistance.
    – vidarlo
    Commented Jun 27 at 14:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .