PCI 9:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Requirement 9: Restrict physical access to cardholder data.


  • Any physical access to data or systems that house cardholder data allows the opportunity to access devices or data, and remove systems or hardcopies, and should be appropriately restricted.




PCI-9.1 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.


PCI-9.1.1 Use cameras to monitor sensitive areas. Audit this data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.


PCI-9.1.2 Restrict physical access to publicly accessible network jacks.


PCI-9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.




PCI-9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible. “Employee” refers to full-time and part-time employees, temporary employees/personnel, and consultants who are “resident” on the entity’s site. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.




PCI-9.3 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.


  • Make sure all visitors are:


PCI-9.3.1 Authorized before entering areas where cardholder data is processed or maintained.


PCI-9.3.2 Given a physical token (e.g., badge or access device) that expires, and that identifies them as non-employees.


PCI-9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration.




PCI-9.4 Use a visitor log to retain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law.




PCI-9.5 Store media back-ups in a secure off-site facility, which may be either an alternate third-party or a commercial storage facility.




PCI-9.6 Physically secure all paper and electronic media (e.g., computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder information.




PCI-9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder information.


PCI-9.7.1 Label the media so it can be identified as confidential.


PCI-9.7.2 Send the media via secured courier or a delivery mechanism that can be accurately tracked.




PCI-9.8 Ensure management approves all media that is moved from a secured area (especially when media is distributed to individuals).




PCI-9.9 Maintain strict control over the storage and accessibility of media that contains cardholder information:


PCI-9.9.1 Properly inventory all media and make sure it is securely stored.




PCI-9.10 Destroy media containing cardholder information when it is no longer needed for business or legal reasons:


PCI-9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials.


PCI-9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.



--Mdpeters 12:57, 7 July 2006 (EDT)