PCI Requirement 9.3 – Control Physical Access for Onsite Personnel to Sensitive Areas

by Randy Bartels / January 31st, 2018

Physical Access Requirements for Onsite Personnel

Physical access requirements don’t only apply to visitors, they also apply to your onsite personnel. PCI Requirement 9.3 focuses on controlling physical access to sensitive areas for onsite personnel. Your organization should determine specific sensitive areas where cardholder data is stored, processed, or transmitted and specific onsite personnel who have been granted physical access to these areas.

Physical access to sensitive areas must be authorized by management and based on job function. This relates back to PCI Requirement 7; if physical access is necessary for someone to perform their job, that’s acceptable. If the person can perform their job without physical access, then deny that access. The more people who have access to sensitive areas and cardholder data, the more risk there is. Limiting access to those with a legitimate business need can help your organization prevent mismanagement of cardholder data.

If an individual leaves your organization or is terminated, their physical access must be revoked as soon as possible and all physical access mechanisms (like their keys, employee identification, etc.) must be returned and/or disabled. Complying with this aspect of PCI Requirement 9.3 ensures that terminated personnel do not have the opportunity to gain physical access to sensitive areas once their employment has ended.

Within your organization, it’s likely that you have very specific sensitive areas that you’ve defined. Wherever you have these sensitive areas – which might contain financial information, client customer information, or cardholder information – where you are storing, processing, or transmitting information, you need to control who has access into the area. This isn’t just about a guest. This is also about your normal employees.

From an assessor’s perspective, one of the things we look for, which marries back to PCI Requirement 7, is who has been authorized to have access into this environment. If Johnny, Bobby, Susie, Tommy, Larry, etc. need access in there to do their job, that’s fine. However, if there are individuals within your organization that truly do not need access into this environment, their access should be restricted.