PCI Requirement 9.1.3 – Restrict Physical Access to Wireless Access Points, Gateways, Handheld Devices, Networking/Communications Hardware, and Telecommunication Lines

by Randy Bartels / January 31st, 2018

Physical Security of Wireless Devices

Wireless components and devices introduce more risk to your cardholder data environment. This is why PCI Requirement 9.1.3 focuses on maintaining the physical security of wireless devices. PCI Requirement 9.1.3 requires, “Restrict physical access to wireless access points, gateways, handheld devices, networking hardware, communications hardware, and telecommunication lines.” Without the proper security over access to wireless components and devices, attackers can use your organization’s wireless network to access network resources, connect their own devices, or intercept network traffic.

You may be wondering how to physically secure something that is wireless. Wireless access points, gateways, networking hardware, communications hardware, and telecommunication lines need to be physically difficult to reach. This could mean being mounted on a ceiling, physically blocking access to a reset button, disabling all console-interface, mounted on a wall but out of reach, physically blocking access to Ethernet, or installing tamper-detection technology. Handheld devices that are missing should be immediately reported and tracked.

For more information on securing wireless networks, check out the PCI DSS Wireless Guideline Information Supplement.

There are going to be situations where you have individuals come into your environment. There’s the receptionist area, there might be a conference room. What we’re looking for in PCI Requirement 9.1.3 are any network jacks that are considered publicly accessible should be appropriately protected, or that you’re escorting your guests at all times.

What’s considered a public area? From an assessor’s perspective, we’re looking at any place where you’re not monitoring a guest within your facility. A public area might be considered a receptionist area, or a conference room if you leave someone alone. If you have network jacks that do not terminate into your cardholder data environment, these controls would not apply. From a security perspective, it would be a good thing, but it’s not required.

Understand that what we’re looking for here is that any network jack that terminates or is in scope of PCI DSS has appropriate controls protecting it, and/or it’s disabled, and/or you escort your visitors at all times.