Scanning POS Devices

Per PCI-DSS Requirement 9.9, we need to scan card-reading devices and terminals since they capture cardholder data. Currently these devices fall under general scope and we scan them with a “Full Audit” template. However, I am a bit skeptical about the accuracy of the data we are getting from the scans. Has anyone had experience with scanning the card-readers on Rapid7?


I recommend to check with the POS vendor and validate the base O.S. the software is running on. Often these are running on (minimal) unix/linux, but it could very well be a Windows or even iOT RTOS flavor. This will be the first part of answering your question.