9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:

PCI DSS v3.2.1 Questions and Answers Forum Implement Strong Access Control Measures
1

9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

9.9.3.a Review training materials for personnel at point-of-sale locations to verify they include training in the following:
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices
• Not to install, replace, or return devices without verification
• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
9.9.3.b Interview a sample of personnel at point-of-sale locations to verify they have received training and are aware of the procedures for the following:
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices
• Not to install, replace, or return devices without verification
• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

Criminals will often pose as authorized maintenance personnel in order to gain access to POS devices. All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POS maintenance company (such as the vendor or acquirer) for verification. Many criminals will try to fool personnel by dressing for the part (for example, carrying toolboxes and dressed in work wear), and could also be knowledgeable about locations of devices, so it’s important personnel are trained to follow procedures at all times.

Another trick criminals like to use is to send a “new” POS system with instructions for swapping it with a legitimate system and “returning” the legitimate system to a specified address. The criminals may even provide return postage as they are very keen to get their hands on these devices. Personnel always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business.