top of page
< Back

9.9.3 PCI DSS (v3.2.1)

Compliance Standard

Compliance Version

Control ID




Requirement 9: Restrict physical access to cardholder data


Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

bottom of page