Compliance with PCI Requirements 9 and 12
by Sarah Harvey / April 22nd, 2020
The PCI DSS was developed by payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA. As for the PCI audit itself, the number of requirements organizations have to comply with varies. In some cases, entities must meet all 12 PCI requirements, but the scope may determine that others only need to meet PCI Requirements 9 and 12. Why is that? It has to do with the physical security of cardholder data.
Who Must Be PCI Compliant?
According to the PCI SSC, “Any merchant that wants to process, store, or transmit credit card data is required to be PCI compliant.” However, for some organizations that only impact the physical security of cardholder data, like data centers or records management providers, only have to demonstrate compliance with PCI Requirements 9 and 12.
What is PCI Requirement 9?
PCI Requirement 9 states entities must restrict physical access to cardholder data. Complying with PCI Requirement 9 is critical to the physical security of your organization’s sensitive cardholder data. What would the consequences be if your organization had no physical access controls? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable, disrupt, or destroy your critical systems and cardholder data.
What is PCI Requirement 12?
PCI Requirement 12 says that entities must maintain a policy that addresses information security for all personnel. Essentially, this requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.
Proper Scope Your PCI Audit
PCI defines scoping the identification of people, processes, and technologies that interact with or could otherwise impact the security of cardholder data. Knowing how to scope a PCI assessment is crucial to your organization’s compliance. Defining a correct scope is the first and most important step. Scoping is so vital that assessors should not even begin the assessment until they have fully determined the scope. So, how does your organization determine if an asset is in scope? Any people, process, or technology that stores, processes, or transmits cardholder data is considered to be within your cardholder data environment and in scope for your PCI assessment. If your people, processes, or technology has the ability to impact the security of account data and sensitive authentication data, then your organization needs to have the appropriate controls applied in the appropriate places.
Determining which requirements you need to include in your PCI audit can be confusing, but at KirkpatrickPrice, our Information Security Auditors thoroughly scope the project, allowing for the tedious process to become streamlined.
When you engage in a PCI audit with us, we’ll ask questions like…
- Will more than one business entity be involved in the audit?
- Which of your business services are included in the audit?
- How many business applications are used to fulfill these services?
- How many technology platforms support the business?
- What third-party service providers have access to your confidential information?
Who Should Comply with PCI Requirements 9 and 12?
Companies who only handle credit card information in a physical way means that they only need to be evaluated on that level, which would be physical security (PCI Requirement 9) and information security policies (PCI Requirement 12). In situations like this, all other requirements would be outsourced.
Whether you’re expected to comply with all 12 requirements or you’re only pursuing a PCI Requirements 9 and 12 audit because you’re focused on physical security, KirkpatrickPrice is here to make the PCI audit journey easier. Let’s find some time to talk today to see how we can partner together to get your compliance goals achieved.
