All personnel connected in any way with cardholder data must be trained to protect devices which capture payment card data through physical interaction (i.e. swipe, dip, or wave) with a payment card. Personnel must be trained to be aware of attempted tampering or replacemtn of devices, and terminals must periodically be inspected to look for tampering and substitution.
Two external resources that we've found to be helpful are:
- Skimming Prevention: Best Practices for Merchants - PCI Security Standards Council
- Protect Your Merchant Terminals from Illegal Tampering -Visa
Either of these could be used for training within departments. Since only the individual merchants know which individuals are involved in card processing, the monitoring of this training is the department's responsibility.