PCI (Payment Card Industry Security Standard)_Req 9.9.3

PCI (Payment Card Industry Security Standard)

Restrict physical access to cardholder data

Req 9.9.3

9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: – Verify the identity of any third-party persons claiming to be repair or maintenance personnel prior to granting them access to modify or troubleshoot devices. – Do not install replace or return devices without verification. – Be aware of suspicious behavior around devices (for example attempts by unknown persons to unplug or open devices). – Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example to a manager or security officer).

Criminals will often pose as authorized maintenance personnel in order to gain access to POS devices. All third parties requesting access to devices should always be verified before being provided access-for example by checking with management or phoning the POS maintenance company (such as the vendor or acquirer) for verification. Many criminals will try to fool personnel by dressing for the part (for example carrying toolboxes and dressed in work wear) and could also be knowledgeable about locations of devices so it’s important personnel are trained to follow procedures at all times. Another trick criminals like to use is to send a “new” POS system with instructions for swapping it with a legitimate system and “returning” the legitimate system to a specified address. The criminals may even provide return postage as they are very keen to get their hands on these devices. Personnel always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video