Training on Tampering
Your organization must protect the integrity of devices that physically interact with cardholder data. PCI Requirement 9.9.3 requires that your organization provide training for personnel to be aware of attempted tampering or replacement of devices. This training needs to include:
- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Criminals often pose as authorized maintenance personnel to gain access to your POS devices.
- Do not install, replace, or return devices without verification. It’s common for criminals to send a “new” POS system/device in hopes that they will trick you into following their instructions to return the legitimate system to them, and you will install their fraudulent device.
- Be aware of suspicious behavior around devices, for example, attempts by unknown persons to unplug or open devices.
- Report suspicious behavior and indications of device tampering or substitution to appropriate personnel, like a manager or security officer.
To verify compliance with PCI Requirement 9.9.3, your assessor will review the training material you give personnel, interview personnel about the training they’ve received. They want to see that the training you have established is helping to implement PCI Requirement 9.9.
Wherever your organization might have a device that physically interacts with cardholder data, it’s required that you provide training to your staff to ensure the integrity of those devices. From an assessment perspective, we’re going to look to see that you’ve provided training and look at the training material. We’re going to interview the staff and ask them what training they’ve received, making sure that they understand they should not be swapping out these devices without some type of management authorization. If something shows up in the mail and says, “This is your new POS device, please install, then send us back the old one,” your employee will know this shouldn’t be happening. From an assessment perspective, we’re looking at the policies, procedures, and training that you’ve provided your staff and verifying that your staff is actually carrying out the activities that you’ve defined within your policies and procedures.