Requirement 9.9 applies to which devices in card-present transactions?

• A. Card-reading devices used at the point of sale; not intended for manual key-entry components.
• B. Manual keyboards and POS keypads only.
• C. Mobile phones used by customers.
• D. Any device connected to the internet.

Answer: (A)

Protecting devices that capture card data during card-present transactions. This requirement focuses on the card-reading equipment at the point of sale, which should be used solely for reading data from the card and not for manually entering cardholder data. Keeping these readers separate from any manual-entry capabilities reduces the risk that a single device could be tampered with or used to capture data through an alternative input path, potentially bypassing protections. The other options describe inputs or devices not specifically the POS card-reading hardware targeted by this rule: manual keyboards and keypad inputs are separate from readers, mobile phones used by customers aren’t the reader devices, and any internet-connected device is outside this particular scope of card-present data capture.