What should be included in personnel training about tampering and substitution?

• A. Verify the identity of any third-party persons claiming to be repair or maintenance personnel prior to granting access; do not install, replace, or return devices without verification; be aware of suspicious behavior; report suspicious behavior.
• B. Training should focus only on password security.
• C. Training is optional.
• D. Training is required only after an incident.

Answer: (A)

Preventing tampering and substitution hinges on training that teaches staff to verify who is claiming access and to handle devices securely. This means instructing everyone to verify the identity of any third-party individuals claiming to be repair or maintenance personnel before granting access, and to avoid installing, replacing, or returning devices without proper verification. It also emphasizes staying alert to suspicious behavior and knowing how to report it promptly. This combination reduces the risk that an attacker could impersonate a technician or secretly substitute equipment, which could compromise cardholder data.

Focusing only on password security overlooks the physical and procedural safeguards needed to protect devices and facilities. Making training optional or delaying it until after an incident leaves you unprepared and reactive rather than preventing tampering in the first place.