PCI Requirement 9.1 – Use Appropriate Facility Entry Controls to Limit and Monitor Physical Access to CDE

by Randy Bartels / January 31st, 2018

Limit and Monitor Physical Access

Applying the appropriate physical security and facility entry controls are vital to complying with PCI Requirement 9.1, which states, “Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.” Wherever your cardholder data lives, it must be protected. Complying with PCI Requirement 9.1 comes in two parts: limit and monitor. Your organization must limit physical access to cardholder data environments. Remember PCI Requirement 7? This ties in here; anyone with access to cardholder data environments must go through an authorization process. Even if an individual does have access, PCI Requirement 9.1 calls out the need for access to be monitored.

Facility entry controls and an effective authorization processes reduce the potential for unauthorized persons to gain access to your critical systems and cardholder data environments. A facility entry control could be something like a badge system, which identifies employees versus visitors. Locks on doors are also an example of facility entry controls; what implications would unlocked doors have on your business? Theft, disruption, and more.

The sub-requirements of PCI Requirement 9.1 outline controls that monitor physical access to cardholder data environments, which include:

  •  9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
  • 9.1.2 – Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
  • 9.1.3 – Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

Without physical security and facility entry controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility. Start preparing today and protect your organization from unauthorized persons.

You need to maintain some type of physical access controls into the areas that you consider sensitive. What we’re looking for is that you either have keyed locks or badged access into these areas. The intent is for only those individuals who have been authorized to get into these environments should have that access. This is kind of a hook or a footnote into PCI Requirement 7 where we’re authorizing individuals. As part of your authorization process, make sure that you’re inclusive of the physical space where people reside, work, or need access.