PCI 9:
Requirement 9: Restrict physical access to cardholder data.
- Any physical access to data or systems that house cardholder data allows the opportunity to access devices or data, and remove systems or hardcopies, and should be appropriately restricted.
- PCI-9.1 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
- PCI-9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible. “Employee” refers to full-time and part-time employees, temporary employees/personnel, and consultants who are “resident” on the entity’s site. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
- PCI-9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible. “Employee” refers to full-time and part-time employees, temporary employees/personnel, and consultants who are “resident” on the entity’s site. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
- PCI-9.3 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
- Make sure all visitors are:
- PCI-9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder information.
- PCI-9.9 Maintain strict control over the storage and accessibility of media that contains cardholder information:
- PCI-9.10 Destroy media containing cardholder information when it is no longer needed for business or legal reasons:
--Mdpeters 12:57, 7 July 2006 (EDT)