The Physical Security of Media

At your organization, are receipts ever left on someone’s desk? Are reports left in the printer and forgotten about? Are computers constantly logged in? If your organization has paper or electronic media containing cardholder data, you must protect and physically secure all media. PCI Requirement 9.5 is intended to prevent unauthorized individuals from accessing cardholder data through media.

PCI Requirement 9.5 states, “Physically secure all media.” In relation to PCI Requirement 9, media is all paper and electronic media containing cardholder data. This media could be paper receipts, faxes, removable electronic media, paper reports, and more. The PCI DSS explains, “Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.” Complying with PCI Requirement 9.5.1 helps maintain the physical security and integrity of cardholder data.

PCI Requirements 9.5 and 9.5.1 require that you physically secure all media that may contain cardholder data. These particular requirements are not just subject to tapes; they’re also subject to any print media that you might have. If you have print receipts or the ticker tapes that contain the batch-out or end-of-day batch processing, or if you physically have written cardholder data down on a piece of paper and you’re storing those on an invoice somewhere, this requirement would apply.

PCI Requirement 9.5. and 9.5.1 require that you have a process for maintaining the security and integrity of all of this data that you might be retaining from a physical security perspective.

Maintain a Visitor Log

In order to record which visitors have entered your sensitive areas, PCI Requirement 9.4.4 requires, “A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.” This visitor log must document three elements:

  • The visitor’s name
  • The firm represented
  • The onsite personnel authorizing physical access to the log

This log of visitor activity to the facility must be retained for a minimum of three months, and the data should be reviewed and correlated with other identification mechanisms, like video camera footage, badge swipes, etc. This visitor log is an easy, inexpensive way to document a minimal amount of information on visitors and will assist in identifying physical access to a building or room, and potential access to cardholder data.

If your organization has a visitor log but does not maintain, capture, or verify the information recorded, this is an issue. This does not comply with PCI Requirement 9.4.4. The visitor log must be appropriately filled out. An assessor will want to verify that the visitor log is in use, contains the correct information, and is part of a vetting process to gain physical access to sensitive areas.

PCI Requirement 9.4.4 requires that you maintain a physical log of when individuals have entered your facility or your sensitive areas. This requirement is pretty steadfast. It’s required that you keep this log for 90 days and you review the data.

As an assessor, I would often flip through the pages of these logs’ history and it became pretty evident to me that a lot of times, while organizations might have the log, a person would sign in, but the information was not being captured. While they had a field for capturing it, which was the firm that they represented or the person that was authorizing the access, there was no vetting process for making sure that logs were appropriately filled out. Your assessor should be asking to see those logs and see where individuals have come into your facility.

Visitors Must Surrender Their Badge Upon Their Departure

To comply with PCI Requirement 9.4, there’s an important step outline in PCI Requirement 9.4.3, related to identification mechanisms. It states, “Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.” Even though a visitor badge has an expiration date and/or time on it, you must ensure that you ask visitors to surrender their badge upon their departure. This could be the job of the person who has escorted the visitor, a receptionist, or a security guard – just make sure it’s someone’s responsibility.

One purpose of PCI Requirement 9.4.3 is to prevent a visitor badge from being use maliciously. The PCI DSS explains, “Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.”

How you treat your assessor can represent your commitment to complying with PCI Requirement 9.4.3.Your assessor probably will not volunteer their visitor badge at the end of the assessment; they will wait to see if you ask for them to surrender their badge upon their departure.

When a visitor leaves your facility, you’ll want to make sure that they are asked to surrender their visitor badge upon their departure. One of the things that I used to do as an assessor (mind you, I’ve been doing this for about 10 years), is I would never volunteer my badge at the end of an assessment. I would never hide it from them, but I would never voluntarily give it up. I would always wait for them to ask me for it. At my house, I had this thing called “The Wall of Shame” and it was all of these badges that no one had ever asked me to return. I kept them kind of as a trophy for this particular requirement. So, when you have a guest that’s leaving your facility, please make sure that the last person who interacts with them asks for that badge. This could be the receptionist, or it could be the person who’s escorted them around the facility.

Identification Mechanisms

Controls surrounding visitor access are vital to the physical security of your organization. When a visitor enters your facility, they need to be easily distinguished from onsite personnel. Throughout PCI Requirement 9, we’ve discussed visitor identification mechanisms such as a badge system; this comes into play in PCI Requirement 9.4.2 as well.

PCI Requirement 9.4.2 states, “Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.” When a visitor enters your facility, they must be issued a visitor badge that has an expiration date and/or time and can be easily distinguished from an employee badge, like one that’s a brighter color or is much larger than an employee badge, making it easy to determine a visitor from far away. Ensuring that visitor badges have an expiration date and/or time prevents malicious individuals from using a previously authorized badge to gain physical access into your facility after the visit has ended.

How you treat your assessor also represents your compliance; did you issue them identification mechanisms? Did someone mistake them for an employee? Did their badge have an expiration date and/or time issued? Did they return the badge at the end of their visit? If you do not follow your own procedures while an assessor is present, this could show a lack of physical security.

From time to time, visitors are going to be coming into your environment, like your assessors. Visitors need to be authorized to be in your environment and when they are authorized, that’s great, but they need to be given a badge or something else that identifies them as a visitor, and whatever that token is needs to be easily distinguished between that of an employee, and it needs to have an expiration date or time. One of the things that we recommend is giving visitors a big, printed badge that’s a different color than employees’ badges so that it’s easily distinguished.

Authorize and Escort Visitors at All Times

Controls surrounding visitor access are vital to the physical security of your organization. These controls reduce the potential for unauthorized individuals to gain access to cardholder data. If a visitor enters your organization’s sensitive areas that house cardholder data, PCI Requirement 9.4.1 requires that visitors are authorized before entering the area and escorted at all times within the area.

To verify compliance with PCI Requirement 9.4.1, assessors will look at artifacts that document the authorization process, like a sign-in sheet, email, or form. Whatever your identification and authorization mechanisms are, they also need to be observed to verify that an unauthorized individual cannot be granted physical access to sensitive areas. How you treat your assessor also represents your compliance; were you escorting your assessor the entire time? Did you leave them alone in sensitive areas? If you do not follow your own procedures while an assessor is present, this could show a lack of physical security.

From time to time, visitors will enter your facilities and they may need to have access into your sensitive areas. They need to be authorized to have that access and they need to be escorted at all times. From an assessment perspective, we’ll be looking for the artifacts that you retain about authorizing individuals into these sensitive areas, whether this be your sign-in sheet, management authorization in an email, or whatever that might be. As part of the escorting clause in this requirement, we’re also looking to see how you escort people within the facility. How do you treat us? If you leave an assessor to their own bidding, like putting us in a conference room or bringing us into a sensitive area and leaving us alone, you might have challenges in meeting this requirement.

If you have any questions about this, have a conversation with your assessor and I’m sure they’ll be happy to clarify this for you.