PCI DSS Blog Series – Requirement 9

The Payment Card Industry Data Security Standard (PCI DSS) consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!

CompliancePoint’s PCI blog series will analyze each of the 12 Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and provide some pro tips on becoming PCI certified.

This next entry of the PCI Series is Requirement 9: Restrict physical access to cardholder data

Requirement 9: Restrict physical access to cardholder data

What does this requirement require at a high level?

Requirement 9 focuses on physical security controls used to protect assets (such as people and technologies) that are vital to the cardholder data environment (CDE) and the operations of the business.

Why is compliance with this requirement important (beyond getting certified)?

According to “The Importance of Physical Security in the Workplace,” there are two types of attacks – nature (such as floods, earthquakes, etc.) and intentional (such as a disgruntled employee). The implementation of physical security controls can help to mitigate, deter, or prevent the damage caused by these factors. Most importantly, physical security can help protect the most important assets of a business: people.

Common Challenges & Tips for Success:

Monitor access to the cardholder data environment (CDE)

• Video cameras, access control mechanisms (such as proximity badge readers), or both may be used to monitor access into the CDE and sensitive areas within the CDE.
• Cameras and/or access control mechanisms must be protected from tampering.
• Camera feeds and/or access controls mechanism logs must be stored for at least three months.

Network jack restrictions and wireless components/devices

• Public access to network jacks should be restricted either physically or logically to prevent visitors or employees from accessing the CDE with an Ethernet cable.
• Physical access to wireless components and devices should be restricted to responsible personnel to prevent unauthorized access to the devices. 

Onsite Visitors

• Both visitors and employees must have badges that clearly distinguish onsite personnel from visitors.
• Visitors should sign into the visitor logbook and either surrender their badges after the visit or have a badge that expires.
• The logbook must include key pieces of information about the visitor:
  • Visitor name
  • Company represented
  • Onsite personnel authorizing access (i.e., whom the visitor is there to see)
• Visitor logs are to be retained for at least three months.

Methods to physically secure all media

• Media, as per PCI, includes but is not limited to computers, removable electric media, and hard-copy materials that contain cardholder data.
• Media backups stored at off-site facilities or locally should be reviewed at least annually.
• Internal/external distribution of media:
  • Classify media based on sensitivity
  • Approval of media must be documented
  • Media distributed externally must be sent by secure courier or include tracking.

Media Destruction

• If you do not have a business need for storing cardholder data beyond the retention period, then destroy it.
• Methods for destruction include:
  • Shredding, incineration, or pulping hard-copy materials
  • Wiping in accordance with industry standards (such as D.O.D) or physically destroying electronic media

Point of sale (POS)/Point of interaction (POI)

• Devices that capture cardholder data should be inventoried to include
  • Make/Model
  • Location
  • Serial number or ID
• Periodic inspection processes should be defined and implemented to ensure that devices have not been tampered with.
• Training
  • Employees at POS locations must be trained on how to identify approved third parties to prevent malicious users from tampering with devices and reporting suspicious behaviors.

Vital Documentation

• Physical Policies and Procedures
  • Policies and procedures should address visitor procedures and the handling of cardholder data within the CDE

Common Questions:

Am I considered non-compliant with Requirement 9 if the video retention period for cameras within the CDE is less than 90 days?

PCI states that video cameras, access control mechanisms, or both methods may be used. If you do not have three months of camera feeds available, you may provide three months of access control logs to meet the intent of the control.

I do not store cardholder data at my facility, do I still need to undergo physical security assessments?

Yes. Although you may not store cardholder data at the onsite facility, a physical assessment is still needed to verify that cardholder data is being handled appropriately per the organization’s policies and procedures. For example, call center agents are not writing down cardholder data during a transaction.

How can I reduce the risk of cell phones on the production floor?

You may install lockers in a centralized location for everyone to put their belongings into prior to entering the production floor. It may also be useful for managers or supervisors to perform periodic checks to ensure that policies and procedures are being followed. 

Conclusion

The goal of the PCI DSS is to ensure that cardholder data that is stored, processed, or transmitted is protected. Requirement 9 addresses physical security controls to ensure that facilities are properly protecting CDE assets such as technology and people.

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification.

Check Out Other Posts in this Series

• PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• PCI DSS Requirement 3: Protect stored cardholder data
• PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
• PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• PCI DSS Requirement 6: Develop and maintain secure systems and applications
• PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
• PCI DSS Requirement 8: Identify and authenticate access to system components
• PCI DSS Requirement 9: Restrict physical access to cardholder data
• PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
• PCI DSS Requirement 11: Regularly test security systems and processes
• PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification.