PCI Requirement 9: Restrict Physical Access to Cardholder Data
PCI Requirement 9 evaluates all aspects of physical security controls to cardholder data – updated devices, visitor badges, security cameras, etc. The PCI DSS states, “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.”
Requirement 9.1 – Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the CDE. We need to have a way to monitor who goes in and out of the environment, either a video camera or some type of access control mechanism.
Requirement 9.2 – Develop procedures to easily distinguish between onsite personnel and visitors, which includes identifying onsite personnel and visitors, changes to access requirements, revoking or terminating onsite personnel and expired visitor identification.
Requirement 9.3 – Control physical access for onsite personnel to sensitive areas. Access must be authorized and based on individual job function. Access must be revoked immediately upon termination and all physical access mechanisms are returned or disabled when revoked or terminated.
Requirement 9.4 – Implement procedures to identify and authorize visitors – badges, security, etc.
Requirement 9.5 – Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. The location’s security needs to be reviewed at least annually.
Requirement 9.6 – Maintain strict control over the internal or external distribution of any kind of media; this includes classifying media so that sensitivity can be determined, the way you send media, etc.
Requirement 9.7 – Properly maintain inventory logs of all media and conduct media inventories at least annually.
Requirement 9.8 – Destroy media when it is no longer needed for business or legal reasons; destroy media so that cardholder data cannot be reconstructed.
Requirement 9.9 – Protect devices that capture payment card data via direct physical interaction from tampering and substitution. Updated devices and updated lists of devices are key.
Requirement 9.10 – Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.