Back

Conduct tampering prevention training.


CONTROL ID
11875
CONTROL TYPE
Training
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain training plans., CC ID: 00828

This Control has the following implementation support Control(s):
  • Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training., CC ID: 11877
  • Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training., CC ID: 11876
  • Include how to report tampering and unauthorized substitution in the tampering prevention training., CC ID: 11879
  • Include how to prevent physical tampering in the tampering prevention training., CC ID: 11878
  • Include procedures on how to inspect devices in the tampering prevention training., CC ID: 11990


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do n… (9.9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do n… (9.9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do n… (9.9.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (9.9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are personnel aware of procedures for inspecting devices? (9.9.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (9.9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are personnel aware of procedures for inspecting devices? (9.9.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are personnel aware of procedures for inspecting devices? (9.9.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (9.9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (9.9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (9.9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are personnel aware of procedures for inspecting devices? (9.9.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (9.9.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Interview a sample of personnel at point-of-sale locations to verify they have received training and are aware of the procedures for the following: - Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troublesh… (9.9.3.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Review training materials for personnel at point-of-sale locations to verify they include training in the following: - Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices - Not to install, r… (9.9.3.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Interview personnel in POI environments to verify they have received training and know the procedures for all elements specified in this requirement. (9.5.1.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: (9.5.1.3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Being aware of suspicious behavior around devices. (9.5.1.3 Bullet 3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)