PCI Requirement 9

PCI Requirement 9

Restrict physical access to cardholder data

Complying with PCI Requirement 9 is critical to the physical security of your organization’s sensitive cardholder data. What would the consequences be if your organization had no physical access controls? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable, disrupt, or destroy your critical systems and cardholder data.

Our PCI Requirement 9 videos will discuss the systems and processes that must be in place to physically protect cardholder data. Click on a video below to get start with PCI Requirement 9.

PCI Requirement 9 – Restrict Physical Access to Cardholder Data

PCI Requirement 9 – Restrict Physical Access to Cardholder Data

What would happen if your organization had no physical access controls protecting cardholder data? Made no effort to restrict physical access to cardholder data? No locks on the doors, no badge or identification system, no security guards, no receptionist?
January 31, 2018/by Jeff Wilder
PCI Requirement 9.1 – Use Appropriate Facility Entry Controls to Limit and Monitor Physical Access to CDE

PCI Requirement 9.1 – Use Appropriate Facility Entry Controls to Limit and Monitor Physical Access to CDE

Applying the appropriate physical security and facility entry controls are vital to complying with PCI Requirement 9.1, which states, “Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.”
January 31, 2018/by Jeff Wilder

PCI Requirement 9.1.1 – Use Either Video Cameras or Access Control Mechanisms to Monitor Individual Physical Access to Sensitive Areas

In areas that are considered sensitive, your organization must implement a method for identifying and monitoring who has come into your facility. PCI Requirement 9.1.1 states, “Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas."
January 31, 2018/by Jeff Wilder
PCI Requirement 9.1.2 – Implement Physical and/or Logical Controls to Restrict Access to Publicly Accessible Network Jacks

PCI Requirement 9.1.2 – Implement Physical and/or Logical Controls to Restrict Access to Publicly Accessible Network Jacks

To ensure that visitors cannot exploit network jacks, PCI Requirement 9.1.2 requires that organizations implement physical controls and/or implement logical controls that restrict access to publicly accessible network jacks.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.1.3 – Restrict Physical Access to Wireless Access Points, Gateways, Handheld Devices, Networking/Communications Hardware, and Telecommunication Lines

PCI Requirement 9.1.3 – Restrict Physical Access to Wireless Access Points, Gateways, Handheld Devices, Networking/Communications Hardware, and Telecommunication Lines

Wireless components and devices introduce more risk to your cardholder data environment. This is why PCI Requirement 9.1.3 focuses on maintaining the physical security of wireless devices.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.2 – Develop Procedures to Easily Distinguish Between Onsite Personnel and Visitors

PCI Requirement 9.2 – Develop Procedures to Easily Distinguish Between Onsite Personnel and Visitors

As part of your organization’s physical security measures, PCI Requirement 9.2 requires that your organization develops and maintains identification procedures to easily distinguish between onsite personnel and visitors.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.3 – Control Physical Access for Onsite Personnel to Sensitive Areas

PCI Requirement 9.3 – Control Physical Access for Onsite Personnel to Sensitive Areas

Physical access requirements don’t only apply to visitors, they also apply to your onsite personnel. PCI Requirement 9.3 focuses on controlling physical access to sensitive areas for onsite personnel.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.4 – Implement Procedures to Identify and Authorize Visitors

PCI Requirement 9.4 – Implement Procedures to Identify and Authorize Visitors

What would the consequences be if an unidentified, unauthorized visitor entered your facility? What people, facilities, or technology would they have physical access to? How would you confront them? PCI Requirement 9.4 hopes to prevent a situation like this from occurring at your organization.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.4.1 – Visitors are Authorized Before Entering, and Escorted at all Times

PCI Requirement 9.4.1 – Visitors are Authorized Before Entering, and Escorted at all Times

Controls surrounding visitor access are vital to the physical security of your organization. These controls reduce the potential for unauthorized individuals to gain access to cardholder data.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.4.2 – Visitors are Identified and Given a Badge or Other Identification that Expires

PCI Requirement 9.4.2 – Visitors are Identified and Given a Badge or Other Identification that Expires

Controls surrounding visitor access are vital to the physical security of your organization. When a visitor enters your facility, they need to be easily distinguished from onsite personnel.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.4.3 – Visitors are Asked to Surrender the Badge or Identification Before Leaving the Facility or at the Date of Expiration

PCI Requirement 9.4.3 – Visitors are Asked to Surrender the Badge or Identification Before Leaving the Facility or at the Date of Expiration

To comply with PCI Requirement 9.4, there’s an important step outline in PCI Requirement 9.4.3, related to identification mechanisms. It states, “Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.4.4 – A Visitor Log is Used to Maintain a Physical Audit Trail of Visitor Activity to the Facility, Computer Rooms, and Rooms Where CHD is Stored

PCI Requirement 9.4.4 – A Visitor Log is Used to Maintain a Physical Audit Trail of Visitor Activity to the Facility, Computer Rooms, and Rooms Where CHD is Stored

In order to record which visitors have entered your sensitive areas, PCI Requirement 9.4.4 requires, “A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.5 – Physically Secure all Media

PCI Requirement 9.5 – Physically Secure all Media

At your organization, are receipts ever left on someone's desk? Are reports left in the printer and forgotten about? Are computers constantly logged in? If your organization has paper or electronic media containing cardholder data, you must protect and physically secure all media.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.5.1 – Store Media Backups in a Secure Location and Review the Location’s Security Annually

PCI Requirement 9.5.1 – Store Media Backups in a Secure Location and Review the Location’s Security Annually

Part of physically securing media that houses cardholder data is storing media backups in a secure location. If not, media backups that contain cardholder data can easily be lost, stolen, or copied for malicious intent.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.6 – Maintain Strict Control Over the Internal or External Distribution of Any Kind of Media

PCI Requirement 9.6 – Maintain Strict Control Over the Internal or External Distribution of Any Kind of Media

If your organization does not have policies and procedures in place to control the distribution of media, cardholder data could be lost, stolen, or used for fraudulent or malicious behavior.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.6.1 – Classify Media so the Sensitivity of the Data Can Be Determined

PCI Requirement 9.6.1 – Classify Media so the Sensitivity of the Data Can Be Determined

Your organization needs to have policies and procedures in place for classifying media. PCI Requirement 9.6.1 states, “Classify media so that sensitivity of the data can be determined.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.6.2 – Send the Media by Secured Courier

PCI Requirement 9.6.2 – Send the Media by Secured Courier

If your organization transfers media to an off-site location, PCI Requirement 9.6.2 requires that you send the media by a secured courier and through a delivery method that can be accurately tracked.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.6.3 – Ensure Management Approves All Media Moved from a Secured Area

PCI Requirement 9.6.3 – Ensure Management Approves All Media Moved from a Secured Area

Like many other PCI DSS requirements, PCI Requirement 9.6.3 involves a management approval. When it comes to the distribution of media, management needs to be aware what media is being sent, where it’s going, and what’s protecting it.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.7 – Maintain Strict Control Over the Storage and Accessibility of Media

PCI Requirement 9.7 – Maintain Strict Control Over the Storage and Accessibility of Media

What if your organization lost cardholder data, but didn’t even know it? Without inventory methods for media and data storage requirements, stolen or missing media could go unnoticed for a long time or maybe not noticed at all.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.7.1 – Properly Maintain Inventory Logs of All Media

PCI Requirement 9.7.1 – Properly Maintain Inventory Logs of All Media

As a part of maintaining strict control over the storage and accessibility of media, PCI Requirement 9.7.1 states, “Properly maintain inventory logs of all media and conduct media inventories at least annually.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.8 – Destroy Media When it is no Longer Needed

PCI Requirement 9.8 – Destroy Media When it is no Longer Needed

PCI Requirement 9.8 aligns with the methodology of many other PCI requirements: If you don’t need it, get rid of it. Remember PCI Requirement 3.1? It requires that organizations keep cardholder data storage to a minimum by implementing data retention and data disposal policies and procedures.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.8.1 – Shred, Incinerate, or Pulp Hard-Copy Materials so CHD Cannot be Reconstructed

PCI Requirement 9.8.1 – Shred, Incinerate, or Pulp Hard-Copy Materials so CHD Cannot be Reconstructed

PCI Requirement 9.8.1 requires you take two steps to securely dispose of sensitive documents: Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed and secure storage containers used for materials that are to be destroyed.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.8.2 – Render CHD on Electronic Media Unrecoverable

PCI Requirement 9.8.2 – Render CHD on Electronic Media Unrecoverable

As part of your data disposal policies, PCI Requirement 9.8.2 requires, “Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction with the Card from Tampering and Substitution

PCI Requirement 9.9 – Protect Devices That Capture Payment Card Data via Direct Physical Interaction with the Card from Tampering and Substitution

Does your organization utilize card-reading devices? If so, you risk the chance of criminals tampering or manipulating your devices. PCI Requirement 9.9 tries to prevent this type of attack by requiring, “Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.9.1 – Maintain an Up-To-Date List of Devices

PCI Requirement 9.9.1 – Maintain an Up-To-Date List of Devices

If your organization utilizes devices that physically interact with cardholder data (card-reading devices), PCI Requirement 9.9.1 requires that you maintain an up-to-date list of devices. This list should be updated whenever devices are added, relocated, decommissioned, etc.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution

PCI Requirement 9.9.2 – Periodically Inspect Device Surfaces to Detect Tampering or Substitution

PCI Requirement 9.9.2 is focused specifically on the physical inspection of devices that physically interaction with payment card information. It states, “Periodically inspect device surfaces to detect tampering or substitution.”
January 31, 2018/by Jeff Wilder
PCI Requirement 9.9.3 – Provide Training for Personnel to Be Aware of Attempted Tampering or Replacement of Devices

PCI Requirement 9.9.3 – Provide Training for Personnel to Be Aware of Attempted Tampering or Replacement of Devices

Your organization must protect the integrity of devices that physically interact with cardholder data. PCI Requirement 9.9.3 requires that your organization provide training for personnel to be aware of attempted tampering or replacement of devices.
January 31, 2018/by Jeff Wilder
PCI Requirement 9.10 – Ensure Policies and Procedures for Restricting Physical Access to Cardholder Data are Documented, In Use, and Known to All Affected Parties

PCI Requirement 9.10 – Ensure Policies and Procedures for Restricting Physical Access to Cardholder Data are Documented, In Use, and Known to All Affected Parties

PCI Requirement 9 states, “Restrict physical access to cardholder data.” Complying with PCI Requirement 9 is critical to ensuring that cardholder data is physically accessed only by authorized personnel.
January 31, 2018/by Jeff Wilder