Monitoring Physical Access to Sensitive Areas
In areas that are considered sensitive, your organization must implement a method for identifying and monitoring who has come into your facility. PCI Requirement 9.1.1 states, “Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.” PCI Requirement 9.1.1 exists to limit and monitor physical access to sensitive areas, and also to prohibit malicious individuals from attempting to disable or bypass monitoring controls.
Sensitive areas, according to the PCI DSS, are any data centers, server rooms, or other areas that house systems that store, process, or transmit cardholder data. Sensitive areas exclude public-facing areas, like point-of-sale terminals in retail stores.
Let’s say that your organization chooses to use video cameras as a method to monitor individual physical access to sensitives areas, like your data center. An assessor will need to enter your data center and verify that cameras are pointed at all points of entry and exit and positioned out of reach, someone monitors the data recorded, someone regularly checks the video cameras for tampering, and the data recorded is retained for at least three months. If an assessor sees that someone enters or attempts to enter your data center without permission, they are confronted.
It is not sufficient to have video cameras recording activity in sensitive areas; the footage that’s recorded needs to be reviewed, then verified by correlating the information with entry logs. Complying with PCI Requirement 9.1.1 takes three steps: implementing access control mechanisms, reviewing collected data, and retaining the data. This data could be useful to an investigation of a physical breach.
In these areas that are considered sensitive, you need to maintain some means or methods for identifying who has come into your facility. When we look at PCI Requirement 9.1.1, it says to use cameras and/or other access control mechanisms to determine who has come into the environment. We’ll walk into your data center, we’ll walk into your call centers or anywhere that you’re interacting with cardholder data, and we’ll look for cameras. We’ll look around the facility to see that cameras are pointed at all points of entry and exit. If you do not have cameras, that’s alright, as long as you have badged access control. Whatever method you’re using to meet this control, whether it be video data or badged access control to determine who’s come into the facility, you need to maintain that data for at least 90 days.
It’s not just enough that you record the data, you also need to have someone who’s monitoring that. It’s not necessary to have someone sitting there watching the live video feed, but the data needs to be looked at on a weekly basis. This could also be looking at the access logs to see who came into the environment. We’re also looking to make sure that if somebody does not have permissions to get into an environment, but they still try to access that environment, someone speaks to them and finds out why.
From an assessment perspective, you need to have something in place to monitor who’s coming in and out of the facility, you need to maintain that data for 90 days, and you need to be monitoring that information.