When you hear the word data protection, what’s the first thing that comes to mind? You can talk about checking firewalls, encryption, and even vulnerabilities. But have you ever thought of locked doors, security badges, or login sheets?
Are you aware that most devices containing sensitive data are stolen in the middle of the day? This is because it’s easier to steal data when employees are too busy to notice someone leaving the office with a phone, laptop, or server.
Many companies still don’t know how physical protection will help protect card details. However, there are also a few ways data thieves can gain access by circumventing physical access controls, and most such technical devices do not require them.
Strengthening your physical protection prevents hackers and social engineers from obtaining the information needed to access and steal card data.
What are the PCI DSS Physical Security Requirements?
When you think of a data breach, the idea of a hacker somehow getting into a computer or network infrastructure comes to mind. However, not all data security incidents are caused by remote cyberattacks; most of them are caused by physical breaches.
Therefore, it is not surprising that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines to physically secure cardholder data environments (CDE).
With unauthorized access, criminals, fraudsters, and fraudulent employees can quickly access, remove, edit, or tamper with a device that touches or stores cardholder data (CHD) and payment information.
For example, fraudsters are increasingly applying “skimming” devices to compromise credit and debit cards at ATMs and gas station pump terminals. While the transition to EMV chip cards is designed to alleviate this growing problem, the risks remain.
Complicating the situation is that not all card data is stored electronically. Often, businesses keep hard copies of customer payment card data and receipts. If they fall into the wrong hands with these materials due to PCI non-compliance, businesses will face heavy penalties, lose consumer trust, and damage their credibility.
PCI DSS Requirement 9 is purely physically dedicated to stopping cardholder data theft. Criminals often try to access cardholder data by physically stealing hardware or paper receipts that contain SAD data. Likewise, tampering or modifying legitimate card reading devices is a common attack technique used by attackers.
PCI DSS Requirement 9 was created with ten sub-requirements to help protect cardholder data from a physical perspective. Each of the sub-requirements is dedicated to a different aspect of physical security and includes detailed descriptions of how to complete the tasks that make up the fundamental requirement:
- To restrict and track physical access to devices in the cardholder data area, use sufficient facility entry controls.
- Develop procedures to easily distinguish onsite staff and visitors, particularly in areas where cardholder data is accessible.
- Give each user a unique identity. Each user with access to the Cardholder Data Environment must have a unique ID. In this way, you can track each action up to a specific individual.
- Before accessing areas where cardholder data is processed or stored, make sure all visitors are allowed.
- Tokens or cards that identify visitors as onsite personnel must be delivered before leaving the facility or on the expiration date.
- Use a visitor log to keep a physical audit trail of visitor information and activities, including visitor names, companies, and onsite staff who allow physical access.
- Keep the visitor log for at least three months, unless otherwise restricted by law.
- Store media backups in a safe place, preferably offsite.
- Physically protect all media.
- Maintain tight control over the internal or external distribution of all types of media. Classify the media so that the sensitivity of the data can be determined.
- Make sure management approves all media moved from a secure area, mainly when media is distributed to individuals.
- Maintain strict control over media storage and accessibility.
- Dispose of media when it is no longer necessary for commercial or legal reasons.
PCI DSS requirement 9 also covers physical security for media containing SAD, such as CDs / DVDs, hard drives, USB keys, and electronic media such as tape backup. Sensitive areas requiring increased physical security to protect SAD include data centers, server rooms, call centers, and network hardware locations. However, it does not have public areas such as in-store checkout areas.
PCI DSS Physical Security Requirements Tips
PCI DSS Requirement 9 includes all physical security checks. Here are a few tips for ensuring that PCI DSS physical security requirements provide adequate protection against card data loss and ensure that your physical security is PCI compliant.
1. Create and Maintain Your Device Inventory.
Many companies use mobile devices as part of their transactions. While useful, mobile device use also comes with some security issues. Device theft, including laptops and servers, is also a cause of data breaches.
If you don’t know where your devices are, you cannot protect cardholder data either. Start protecting cardholder data by first creating an inventory of all devices that store, process, transmit sensitive information or that could impact security.
List the programs running on these systems, including version information, so that you can be aware of known vulnerabilities. Determine physical locations and who can access these systems.
It’s easy to recognize servers, firewalls, workstations, and laptops, but don’t forget about other resources that need to be physically secured, such as:
- Wireless access points
- Network jacks
- Telecommunication lines
- External hard drives
- Paper records
Remember, an inventory is just a snapshot. Set up a system to update the list as things change, and monitor equipment movement and removable media inside and outside your space.
Ensure you have a detailed list of devices that can hold or add data to your card details. Your company will know where these machines are, who is running them, and whether they have left your company settings.
The inventory will help you keep track of all the devices you use. If attackers steal something, the inventory list you keep will help you easily identify the stolen computer, where it is, what data was stolen, and what steps can be taken.
2. Provide Restricted Access to Critical Areas or Facilities.
Rooms with card information should only be accessible by employees who need it.
Make sure you only give your employees the amount of access they need. For example, your marketing boss doesn’t need to have access to card data. Most data is stored in a data center, and you need to trust your data center service provider before delivering all your data.
When you know which systems to protect, set up PCI DSS Requirement 9 controls that restrict access to them, such as card readers and keylocks. Employee access must be allowed and required for the employee’s job function. When visitors are expected to access sensitive areas, make sure they are permitted by an employee and accompanied at all times.
It is essential to have a way to recognize and distinguish employees and visitors, such as badges. You will need a way for anyone accessing a sensitive area, such as video cameras and access logs, to follow and log in.
Ensure you find a way to disable access when a visitor’s stay ends or an employee is fired. Make sure all physical access devices such as keys and access cards are returned or disabled.
Do not hide sensitive information such as payment card details in the open. For example, event planning firms and catering suppliers can use paper forms containing customers’ credit card details. The card is usually paid at such companies, and the paper order form is destroyed until the end of the event.
If your company collects credit card information similarly, the papers must be structured appropriately to keep sensitive data separate from the order information.
3. Establish Your Physical Security Policies.
It would be better if you comprehensively defined your corporate and physical protection policies. Both parties with access to cardholder data must be aware of these documents and be adequately trained to comply with these policies.
You will need to develop a set of policies to manage physical security for employees. Doing so will protect against intentional or accidental theft of data. Things to consider in your policies include the following:
- When the doors are locked
- Who has which access authorization?
- Which devices will always stay in place?
- Who inspects the security application?
- Physical access to hardware and network infrastructure for CDE servers
- Password change policy
- How to report lost and stolen access cards or badges
- Visitor access procedures
Documenting these policies and procedures is very important because putting them on paper explains the concerns workers may have and minimizes liability in the event of a violation. You should also periodically renew these policies.
4. Train Your Employees on Physical Security Policies.
Policies and procedures alone are useless for your company if your staff does not comply with security policies. One of the leading causes of many data breaches is human error. It is enough for an employee to forget to lock a door or a locker in the data center, for an unauthorized person to steal devices or intercept data in a restricted area.
Make sure you train your staff on physical safety. Give examples of correct and incorrect policies and procedures. Ensure employees understand the costs and liabilities that may arise if they fail to comply with company policies.
It is recommended that employees receive training every three months, if not monthly. You should also update the training content when your policies change.
5. Don’t Forget The Small Details.
It’s good to make sure your doors are locked at night and everything is safe, but what about the daytime? Contrary to popular belief, a lot of data theft occurs in the middle of working hours, with social engineering attacks. Consider the access privileges that the doorman and delivery staff have. Accessing data by pretending to be an employee will be very simple with a social engineering attack.
Sometimes attackers are very good at accessing unauthorized areas unnoticed with social engineering attacks, mostly because workers ignore smaller security details. No matter how sweet and innocent someone is, you should stick to their data protection policies.
Smaller security details mustn’t be left out. Setting up computer-based privacy controls, installing blinds in rooms with sensitive data, and recording who enters and leaves the company will provide vital protection to secure card data.
6. Secure Your POS Devices.
Attackers who can access POS devices can manipulate the computers and terminals that read the card and steal card data. Remember to keep an inventory of POS machines and regularly check for signs of misuse.
If your company has card reading POS systems used in card transactions, PCI DSS provides unique security requirements to protect them:
- Create an up-to-date list of all devices, including physical location, serial numbers, and make / model.
- Inspect devices periodically to ensure they have not been tampered with. Make sure serial numbers match and seals are not broken.
- Train relevant employees regarding the security of POS devices.
To help employees conduct successful software reviews, it is essential to create instructions, identify fraudulent behavior around payment systems, and understand what third parties will do when working on the network.
7. Securely Delete Credit Card Information.
The best way to protect cardholder data is to keep them no longer than necessary. Create a schedule to check that media containing cardholder data should be destroyed safely when it is no longer needed.
Crumble, pulp, or burn the printed copies. Physically wipe, demagnetize or destroy electronic content. Also, lock the storage containers used for shredded or discarded items so that criminals cannot take them back for fraudulent use.
Closing Considerations on PCI DSS Physical Security Requirements
Credit cards contain a large amount of sensitive data about the cardholder. A person’s life can be ruined if the data gets into the wrong hands. Now imagine the company has millions of credit card storages containing card information. If a phishing scam or attack accesses the database remotely, all payment card records can be compromised in the blink of an eye.
At all times, companies are required to be 100% compliant with PCI DSS and maintain compliance year after year. To secure your CDE and your organization from data breaches, it would be better if you had the most up-to-date cybersecurity plans and trained employees.
When it comes to protecting your CDE and data in transit, you need to maintain your continued compliance with all PCI DSS Requirement 9 and sub-requirements as well as 11 other PCI DSS requirements to help you reduce PCI coverage and maintain a healthy cybersecurity stance.