Instructions For Confirming Device And Packaging Were Not Tampered With, And For Establishing Secure, Confirmed Communications With The Solution Provider; Instructions To Confirm The Business Need For, And Identities Of, Any Third-Party Personnel Claiming To Be Support Or Repair Personnel, Prior To Granting Those Personnel Access To Poi Devices - Ingenico Desk 3500 Instruction Manual

Please be prepared to provide this information in an effort to maintain the most secure payment solution for
you and your customers.
● Record the status of the POI device as "Tampered" in the Merchant Inventory Log. Secure the log
book when finished.
For additional information about responding to compromise, refer to:
https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf
5.3 Instructions for confirming device and packaging were not tampered with, and for
establishing secure, confirmed communications with the solution provider
Confirming device and packaging were not tampered with
Upon receiving a POI device, the merchant should confirm that the device and packaging have not been
tampered with. Follow the guidance in the "Initial inspection of POI devices" portion of Section 5.1 of this
document.
Merchants receiving a POI device shipment must confirm that the certified shipping vendor matches the
pre-shipment confirmation. Authenticate the package's origins using the guidance in the "Ensuring POI
devices originate from trusted locations" portion of Section 4.2 of this document.
Establishing secure, confirmed communications with the solution provider
For the list of approved communication methods that may be used with your device, please see Section 3.1
of this document. Please follow the guidance in Section 3.1 to set-up your device, establish communications
with EPX, and begin processing. If further guidance is needed, please see the user guide provided with your
device or contact EPX using the information in Section 1.2 of this document.
5.4 Instructions to confirm the business need for, and identities of, any third-party personnel
claiming to be support or repair personnel, prior to granting those personnel access to POI
devices
Always confirm the identification of service personnel, visitors, or sales agents requesting access to a POI
device in your control. Maintain a Visitor's Log of all visitor access to devices if the need for an on-site visit is
confirmed. The log book must include:
● The visitor's name
● The visitor's contact information
● The purpose of the visit
● The serial numbers of devices they handled
● The date of their visit
● The date, start time, and end time of device access
Observe to the following to prevent any tampering or substitution of devices in your control:
● Be suspicious of any attempt by an individual to gain access to your POI device.
● Only proceed with individuals who have previously contacted the designated point of contact for the
merchant location, discussed the purpose of the visit, verified the business need for any access to
devices, and scheduled the visit.
● Request identification from the individual. This includes the individual's name and company
information, such as an employee badge, employee identification number, and photo, if available.
PIM Template for PCI P2PE v2.0
Payment Card Industry Point-to-Point Encryption Standard
© 2021 PCI Security Standards Council, LLC. All Rights Reserved. Page 39