Retail Store Technology Audit Checklist

Walk every register and back-office station. Record make/model, serial number, and firmware version of each POS terminal and EMV pinpad. Flag any unit running firmware older than the vendor's current release — out-of-date pinpads are the most common SAQ B-IP finding.

Scan a known SKU at each lane and confirm the price ties to the POS record. Misreads at checkout drive shrink and customer disputes — replace any wired scanner with intermittent reads and any wireless scanner that won't hold a charge through a full shift.

Open and close every drawer with a no-sale and a void; confirm the printer cuts cleanly and the trigger cable seats. Stuck drawers and shredded receipts both push cashiers toward manual workarounds that defeat the audit trail.

Confirm the manager workstation, receiving PC, and any handheld counting tablets are on the asset register. Decommission anything that hasn't logged in within the last 90 days — orphan devices are a known pivot path for skimmer malware.

Check the build number reported by Lightspeed / Square / Shopify POS / Counterpoint against the vendor's current release. Vendors push EMV and PCI fixes silently; a terminal more than two minor versions behind has likely missed at least one security patch.

Pull the patch report from the RMM. Windows POS terminals running unpatched builds are the textbook vector for RAM-scraper card-skimming malware. Anything more than 30 days behind the current cumulative update needs a patch window.

Compare the RMM's installed-software inventory to the approved baseline. Common findings: associates installing remote-support tools (TeamViewer, AnyDesk) on the back-office PC, or browser toolbars on the receiving workstation. Both expand PCI scope.

Confirm every POS terminal, back-office PC, and stockroom tablet has checked in to the AV console within the last 7 days. A device that hasn't checked in is almost always offline or has a broken agent — both count as failed PCI Requirement 5.

Pull the cashier roster from the POS and reconcile against the active employee list in the WFM (Homebase, Deputy, UKG). Disable any cashier ID for an associate who left more than 14 days ago. Shared logins must be replaced with named accounts — a hard PCI Requirement 8 fail otherwise.

From the guest SSID, attempt to reach the POS VLAN gateway and a POS terminal IP. Both should be blocked at the firewall. Flat networks where guest Wi-Fi can route to the POS subnet are the single most common reason a small retailer fails PCI Requirement 1.

Unplug the primary WAN and confirm the LTE or secondary fiber takes over within the SLA window. Time how long it takes the POS to resume card authorization — most stores discover their failover during a real outage, not before.

Export the running config and diff against the baseline in version control. Look for temporary rules added during a vendor visit and never removed — those drift the configuration out of PCI scope compliance silently.

Pull the backup log for the last 14 nights. A green job that ran in 4 seconds is not a backup — confirm the file size matches the prior week. Tiny backups usually mean the agent lost its lock on the database file.

Restore the prior night's backup to a sandbox VM and open the POS database. Verify yesterday's transactions are present and reconcile to the Z-report total. A backup nobody has restored is a backup nobody knows is broken.

Confirm the off-site copy (S3, Backblaze, Datto cloud) holds daily for 30 days, weekly for 90 days, and monthly for 12 months — or whatever the documented policy says. State data-breach notice exposure is materially easier to scope when you can prove what was lost.

Run a PAN-finder scan (e.g., Spirion, ccsrch) against the POS local drives and any back-office shares. Tokenized terminals should return zero. A hit on a back-office PC almost always traces to an exported transaction report somebody dumped to the desktop.

Kick off the external scan with the PCI-approved ASV (Trustwave, SecurityMetrics, ControlScan). Scope is the public IP serving the store. A passing scan is required quarterly to attach to the SAQ — schedule the rescan window now in case findings come back.

Work the findings by CVSS, starting with anything at 7.0 or above. Common culprits at retail edge: weak TLS on the guest portal, an exposed router admin page, default SNMP community strings. Book the rescan within 14 days so the quarter doesn't lapse uncompliant.

Fill out the right SAQ for your environment — B-IP for IP-connected pinpads with tokenization, C for integrated POS, D for everything else. Attach the passing ASV report and the signed Attestation of Compliance.

Confirm every register, the safe, the receiving door, and the sales floor entry are in frame and recording. Pull footage from a random hour in the prior week to confirm retention. Sensormatic and Verkada both quietly drop cameras when PoE flaps — check the camera tile, not just the storage stat.

Confirm the IDF is locked, the key list is current, and no unmarked cables run out of the rack. Vendors leave behind dongles and USB drives — pull anything not on the asset list and bag it for investigation.

Export the badge or door-code list and reconcile against the active payroll roster from the WFM. Disable codes for anyone separated in the prior quarter. Old door codes are a recurring finding in internal-theft investigations.