CREDIT CARD TERMINAL SECURITY CHECKLIST (QUARTERLY) - PCI COMPLIANCE Created by ChecklistGuro (https://checklistguro.com) --- PHYSICAL SECURITY OF TERMINALS --- [ ] Terminal Location Security Assessment (Secure – Visible and Protected, Potentially Vulnerable – Requires Mitigation, Unsecure – Immediate Action Required) [ ] Physical Security Controls in Place (Check all that apply) (Cable Locks/Security Devices, Secure Enclosure/Mount, Visible to Staff, Away from Public Access, None) [ ] Number of Terminals Locked/Secured [ ] Notes on Physical Security Observations [ ] Terminal Location (GPS Coordinates - If Applicable) [ ] Terminal Mobility Risk Assessment (Low – Rarely Moved, Medium – Occasionally Moved within a controlled area, High – Frequently Moved and Unsecured) --- SOFTWARE AND FIRMWARE UPDATES --- [ ] Last Firmware Update Date [ ] Firmware Version Installed [ ] Update Source Verification (Vendor Website, Payment Processor, Other (Specify in Long Text)) [ ] If 'Other' selected above, please specify update source: [ ] Software Version Installed [ ] Upload Screenshot of Terminal Software Version (Optional) [ ] Is Automated Update Enabled? (Yes, No) [ ] If automated updates are disabled, describe the manual update process: --- NETWORK SECURITY & CONNECTIVITY --- [ ] Terminal Connection Type (Direct Ethernet, Wireless (Wi-Fi), Dial/Modem, Other (Specify in Long Text)) [ ] Wireless Encryption Protocol (if applicable) (WPA2, WPA3, WEP (Not Recommended - Upgrade Immediately), Not Applicable (Direct Ethernet)) [ ] Firewall Rule Review Frequency (in days) [ ] Description of any VPN configurations (if applicable) [ ] Network Segmentation (Terminals are on a segmented network, Terminals are on the main business network) [ ] Last Network Scan Date [ ] Details of any network intrusion detection/prevention systems (IDS/IPS) in place [ ] Public Wi-Fi Usage (Terminals are never connected to public Wi-Fi, Terminals are connected to public Wi-Fi (Not Recommended - Requires Specific Measures)) --- MERCHANT ACCOUNT & CONFIGURATION --- [ ] Confirm Merchant Category Code (MCC) is Accurate (Yes, No, N/A) [ ] Confirm Maximum Transaction Limit (if applicable) [ ] PIN Truncation Enabled? (Yes, Truncated, No, Not Required, N/A - No PIN Entry) [ ] Verify Correct MID(s) are Active (Yes, all correct, No, Requires Investigation, N/A) [ ] Document Any Merchant Account Configuration Changes [ ] Is Address Verification System (AVS) Enabled? (Yes, No, N/A) --- EMPLOYEE TRAINING & AWARENESS --- [ ] Which of the following topics were covered in the employee's card terminal security training? (Cardholder Data Security (CDS) Best Practices, Phishing and Social Engineering Awareness, Physical Security of Terminals, Reporting Suspicious Activity, Proper Card Handling Procedures, Secure Password Management) [ ] What is the employee's understanding of the importance of never leaving a terminal unattended? (Fully Understands, Somewhat Understands, Needs Further Training) [ ] Briefly describe the employee’s understanding of how to identify and respond to potential skimming devices. [ ] Number of employees who received card terminal security training this quarter. [ ] Date of employee's last card terminal security training. [ ] Does the employee understand the policy on verifying cardholder identification? (Yes, No, Unsure) --- DATA ENCRYPTION & TOKENIZATION --- [ ] Encryption Method Used (e.g., EMV, SSL/TLS, HCE) (EMV Chip and PIN, SSL/TLS, HCE (Host Card Emulation), Other (Specify in Long Text)) [ ] Encryption Key Rotation Frequency (in days) [ ] Is Encryption at Rest Implemented? (Yes, No, N/A (Not Applicable)) [ ] Description of encryption key management practices. (Who manages, storage, rotation process) [ ] Is Tokenization Used for Sensitive Cardholder Data? (Yes, No, N/A (Not Applicable)) [ ] Tokenization Implementation Documentation (e.g., vendor agreements, configuration details) [ ] Describe how cardholder data is protected during transmission (e.g., Transport Layer Security (TLS) version) --- TERMINAL CONFIGURATION & SETTINGS --- [ ] Terminal Timeout (Idle Time) in Minutes [ ] PIN Truncation Enabled? (Yes, No, Not Applicable) [ ] Dual-Swipe/Chip Enabled? (Yes, No, Not Applicable) [ ] ECR Integration Method (if applicable) (Direct Integration, Through Payment Gateway, Manual Entry, Not Applicable) [ ] Maximum Transaction Amount Limit (if applicable) [ ] Cardholder Verification Method (CVM) List Configuration (Online CVM, Offline CVM, As Per Processor Guidelines) [ ] Notes/Comments Regarding Terminal Settings --- INCIDENT RESPONSE & REPORTING --- [ ] Date of Last Incident Response Drill [ ] Briefly describe the incident response plan for card terminal compromise. [ ] Who is responsible for initial incident reporting? (Store Manager, Designated Security Personnel, IT Department, Payment Processor Contact) [ ] Estimated Time to Recover from a Compromised Terminal (in hours) [ ] Which reporting entities are included in the incident response plan? (Payment Processor, Acquirer, PCI Security Council, Internal Security Team, Law Enforcement (if applicable)) [ ] Describe the process for securing physical evidence following a suspected breach. [ ] Method of documentation of incident details (e.g. paper log, electronic system) (Paper Log, Electronic System, Both) --- END OF TEMPLATE --- Transform this text into a digital, automated, and trackable mobile app! Visit: https://checklistguro.com/templates/retail/credit-card-terminal-security-checklist-quarterly-pci-compliance (Click "Install Template" to launch your digital inspection tool immediately)