PCI Requirement 9 – Restrict Physical Access to Cardholder Data

by Randy Bartels / January 31st, 2018

Why Should I Restrict Physical Access to Cardholder Data?

What would happen if your organization had no physical access controls protecting cardholder data? Made no effort to restrict physical access to cardholder data? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable, disrupt, or destroy your critical systems and cardholder data. This is why PCI Requirement 9 requires, “Restrict physical access to cardholder data.”

PCI Requirement 9 details the following sub-requirements:

• 9.1 – Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
• 9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
• 9.1.2 – Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
• 9.1.3 – Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
• 9.2 – Develop procedures to easily distinguish between onsite personnel and visitors, which include:  identifying onsite personnel and visitors, changes to access requirements, and revoking or terminating onsite personnel and expired visitor identification.
• 9.3 – Control physical access for onsite personnel to sensitive areas as follows: access must be authorized and based on individual job function, access is revoked immediately upon termination, and all physical access mechanisms are returned or disabled.
• 9.4 – Implement procedures to identify and authorize visitors.
• 9.4.1 – Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.
• 9.4.2 – Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.
• 9.4.3 – Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.
• 9.4.4 – A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.  Retain this log for a minimum of three months, unless otherwise restricted by law.
• 9.5 – Physically secure all media.
• 9.5.1 – Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
• 9.6 – Maintain strict control over the internal or external distribution of any kind of media.
• 9.6.1 – Classify media so the sensitivity of the data can be determined.
• 9.6.2 – Send the media by secured courier or other delivery method that can be accurately tracked.
• 9.6.3 – Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).
• 9.7 – Maintain strict control over the storage and accessibility of media.
• 9.7.1 – Properly maintain inventory logs of all media and conduct media inventories at least annually.
• 9.8 – Destroy media when it is no longer needed for business or legal reasons.
• 9.8.1 – Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
• 9.8.2 – Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
• 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
• 9.9.1 – Maintain an up-to-date list of devices that includes: make/model of device, location of device, and device serial number or other method of unique identification.
• 9.9.2 – Periodically inspect device surfaces to detect tampering or substitution.
• 9.9.3 – Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include: how to verify the identity of any third-party persons claiming to be repair or maintenance personnel (prior to granting them access to modify or troubleshoot devices), do not install, replace, or return devices without verification, how to be aware of suspicious behavior around devices, and how to report suspicious behavior and indications of device tampering or substitution to appropriate personnel.
• 9.10 – Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.

PCI Requirement 9 Key Terms

As you learn more about PCI Requirement 9, you’ll hear a few key terms over and over again. For the purposes of this requirement, PCI Requirement 9 key terms are defined as:

• Onsite Personnel: Full-time and part-time employees, temporary employees, contractors, and consultants who are physically present on an entity’s premise.
• Visitor: Vendors, third parties, guests of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day.
• Media: All paper and electronic media containing cardholder data.

PCI Requirement 9 is about maintaining the physical access and physical security of your environment. This would include data centers, call centers, and other sensitive areas. One of the caveats to this is that the area behind the cash register, or the customer-facing environments, are not considered sensitive areas. Wherever your cardholder data is stored, processed, or transmitted is where we look to see that the controls of PCI Requirement 9 are managed.