Monitoring Physical Access to Sensitive Areas

In areas that are considered sensitive, your organization must implement a method for identifying and monitoring who has come into your facility. PCI Requirement 9.1.1 states, “Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.” PCI Requirement 9.1.1 exists to limit and monitor physical access to sensitive areas, and also to prohibit malicious individuals from attempting to disable or bypass monitoring controls.

Sensitive areas, according to the PCI DSS, are any data centers, server rooms, or other areas that house systems that store, process, or transmit cardholder data. Sensitive areas exclude public-facing areas, like point-of-sale terminals in retail stores.

Let’s say that your organization chooses to use video cameras as a method to monitor individual physical access to sensitives areas, like your data center. An assessor will need to enter your data center and verify that cameras are pointed at all points of entry and exit and positioned out of reach, someone monitors the data recorded, someone regularly checks the video cameras for tampering, and the data recorded is retained for at least three months. If an assessor sees that someone enters or attempts to enter your data center without permission, they are confronted.

It is not sufficient to have video cameras recording activity in sensitive areas; the footage that’s recorded needs to be reviewed, then verified by correlating the information with entry logs. Complying with PCI Requirement 9.1.1 takes three steps: implementing access control mechanisms, reviewing collected data, and retaining the data. This data could be useful to an investigation of a physical breach.

In these areas that are considered sensitive, you need to maintain some means or methods for identifying who has come into your facility. When we look at PCI Requirement 9.1.1, it says to use cameras and/or other access control mechanisms to determine who has come into the environment. We’ll walk into your data center, we’ll walk into your call centers or anywhere that you’re interacting with cardholder data, and we’ll look for cameras. We’ll look around the facility to see that cameras are pointed at all points of entry and exit. If you do not have cameras, that’s alright, as long as you have badged access control. Whatever method you’re using to meet this control, whether it be video data or badged access control to determine who’s come into the facility, you need to maintain that data for at least 90 days.

It’s not just enough that you record the data, you also need to have someone who’s monitoring that. It’s not necessary to have someone sitting there watching the live video feed, but the data needs to be looked at on a weekly basis. This could also be looking at the access logs to see who came into the environment. We’re also looking to make sure that if somebody does not have permissions to get into an environment, but they still try to access that environment, someone speaks to them and finds out why.

From an assessment perspective, you need to have something in place to monitor who’s coming in and out of the facility, you need to maintain that data for 90 days, and you need to be monitoring that information.

Limit and Monitor Physical Access

Applying the appropriate physical security and facility entry controls are vital to complying with PCI Requirement 9.1, which states, “Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.” Wherever your cardholder data lives, it must be protected. Complying with PCI Requirement 9.1 comes in two parts: limit and monitor. Your organization must limit physical access to cardholder data environments. Remember PCI Requirement 7? This ties in here; anyone with access to cardholder data environments must go through an authorization process. Even if an individual does have access, PCI Requirement 9.1 calls out the need for access to be monitored.

Facility entry controls and an effective authorization processes reduce the potential for unauthorized persons to gain access to your critical systems and cardholder data environments. A facility entry control could be something like a badge system, which identifies employees versus visitors. Locks on doors are also an example of facility entry controls; what implications would unlocked doors have on your business? Theft, disruption, and more.

The sub-requirements of PCI Requirement 9.1 outline controls that monitor physical access to cardholder data environments, which include:

  •  9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
  • 9.1.2 – Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
  • 9.1.3 – Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

Without physical security and facility entry controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility. Start preparing today and protect your organization from unauthorized persons.

You need to maintain some type of physical access controls into the areas that you consider sensitive. What we’re looking for is that you either have keyed locks or badged access into these areas. The intent is for only those individuals who have been authorized to get into these environments should have that access. This is kind of a hook or a footnote into PCI Requirement 7 where we’re authorizing individuals. As part of your authorization process, make sure that you’re inclusive of the physical space where people reside, work, or need access.

Why Should I Restrict Physical Access to Cardholder Data?

What would happen if your organization had no physical access controls protecting cardholder data? Made no effort to restrict physical access to cardholder data? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable, disrupt, or destroy your critical systems and cardholder data. This is why PCI Requirement 9 requires, “Restrict physical access to cardholder data.”

PCI Requirement 9 details the following sub-requirements:

  • 9.1 – Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
  • 9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
  • 9.1.2 – Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
  • 9.1.3 – Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
  • 9.2 – Develop procedures to easily distinguish between onsite personnel and visitors, which include:  identifying onsite personnel and visitors, changes to access requirements, and revoking or terminating onsite personnel and expired visitor identification.
  • 9.3 – Control physical access for onsite personnel to sensitive areas as follows: access must be authorized and based on individual job function, access is revoked immediately upon termination, and all physical access mechanisms are returned or disabled.
  • 9.4 – Implement procedures to identify and authorize visitors.
  • 9.4.1 – Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.
  • 9.4.2 – Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.
  • 9.4.3 – Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.
  • 9.4.4 – A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.  Retain this log for a minimum of three months, unless otherwise restricted by law.
  • 9.5 – Physically secure all media.
  • 9.5.1 – Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
  • 9.6 – Maintain strict control over the internal or external distribution of any kind of media.
  • 9.6.1 – Classify media so the sensitivity of the data can be determined.
  • 9.6.2 – Send the media by secured courier or other delivery method that can be accurately tracked.
  • 9.6.3 – Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).
  • 9.7 – Maintain strict control over the storage and accessibility of media.
  • 9.7.1 – Properly maintain inventory logs of all media and conduct media inventories at least annually.
  • 9.8 – Destroy media when it is no longer needed for business or legal reasons.
  • 9.8.1 – Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
  • 9.8.2 – Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
  • 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
  • 9.9.1 – Maintain an up-to-date list of devices that includes: make/model of device, location of device, and device serial number or other method of unique identification.
  • 9.9.2 – Periodically inspect device surfaces to detect tampering or substitution.
  • 9.9.3 – Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include: how to verify the identity of any third-party persons claiming to be repair or maintenance personnel (prior to granting them access to modify or troubleshoot devices), do not install, replace, or return devices without verification, how to be aware of suspicious behavior around devices, and how to report suspicious behavior and indications of device tampering or substitution to appropriate personnel.
  • 9.10 – Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.

PCI Requirement 9 Key Terms

As you learn more about PCI Requirement 9, you’ll hear a few key terms over and over again. For the purposes of this requirement, PCI Requirement 9 key terms are defined as:

  • Onsite Personnel: Full-time and part-time employees, temporary employees, contractors, and consultants who are physically present on an entity’s premise.
  • Visitor: Vendors, third parties, guests of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day.
  • Media: All paper and electronic media containing cardholder data.

PCI Requirement 9 is about maintaining the physical access and physical security of your environment. This would include data centers, call centers, and other sensitive areas. One of the caveats to this is that the area behind the cash register, or the customer-facing environments, are not considered sensitive areas. Wherever your cardholder data is stored, processed, or transmitted is where we look to see that the controls of PCI Requirement 9 are managed.