Requirement 9: Restrict physical access to cardholder data

While requirements seven and eight deal pertain to logical access controls, requirement 9 focuses on maintaining physical access controls to secure systems. Video cameras or other access control mechanisms (such as badge access systems) must monitor individual access to sensitive areas of the CDE and maintain at least three months of footage or access records unless restricted by law. Keep in mind that this sub-requirement does not apply to public locations where only cash registers are present.

Publicly-accessible network jacks (if present) must be protected physically or logically (for example, 802.1X authentication).

All critical systems of the CDE such as workstations, servers, networking equipment, telecommunications lines, mobile devices, and point-of-sale devices must be protected against tampering. Physical access to the CDE systems must be granted based on job function, and access should be revoked immediately upon termination.

Procedures must be in place to easily distinguish between visitors and onsite personnel in sensitive areas. For example, visitors might be given identification badges labeled “Visitor”. Visitors should be escorted at all times in areas where cardholder data is handled or processed. A log containing the visitor’s name, firm represented, and the onsite personnel authorizing physical access must be maintained for at least three months.

All media containing cardholder data (including computers, servers, backup drives, receipts, and papers) must be physically secured. Backup drives containing cardholder data must be classified (as restricted), inventoried, securely stored, and securely deleted or destroyed when no longer needed. Approval must be documented for all instances where media is moved from a secure area. Paper media should be securely destroyed (shredded or burned) when no longer needed.

All devices that capture cardholder data (such as point-of-sale devices, cash registers, or gas pumps) should be inventoried, visually inspected periodically, and protected by personnel against tampering by any unauthorized individuals.

Go on to Requirement 10 - Tracking & Monitoring.

Go back to Requirement 8 - Authenticating Access.