PCI Requirement 9.10 – Ensure Policies and Procedures for Restricting Physical Access to Cardholder Data are Documented, In Use, and Known to All Affected Parties

by Randy Bartels / January 31st, 2018

Implementing PCI Requirement 9.10

PCI Requirement 9 states, “Restrict physical access to cardholder data.” Complying with PCI Requirement 9 is critical to ensuring that cardholder data is physically accessed only by authorized personnel. For this requirement, we’ve discussed aspects of physical security such as facility entry controls, visitor identification and access controls, how to physically secure media, controlling the distribution of media, how to destroy media, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 9.10.

PCI Requirement 9.10 states, “Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and operational procedures need to be known and in use by all relevant parties. It is not sufficient that you generate documentation just for the sake of the audit; it is a requirement of this framework that the affected parties use the policies and procedures. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and operational procedures understands what they are. If PCI Requirement 9.10 is not met, your cardholder data could be left vulnerable.

PCI Requirement 9.10 requires that you as an organization maintain policies and procedures around physical security. There are numerous policies and procedures that you should have that define the need for protecting the data center and protecting the physical devices that interact with cardholder data. Your assessor should be asking you for these policies and procedures, they should be interviewing your staff to make sure that what you have documented in your policies is actually in use, and that everything necessary for PCI Requirement 9 is documented.