PCI DSS Requirement 9: Restrict physical access to cardholder data.
Any physical access to systems holding cardholder data allows individuals to access devices or data and destroy systems or hard copies. Consequently, such access should be restricted to authorized personnel only.
For PCI DSS Requirement 9, “on-site staff” refers to full-time and part-time employees, temporary staff, contractors and consultants who are physically present at the company’s site.
A “visitor” refers to a reseller, the guest of any facility staff, service workers, or any person who should enter the facility, usually no more than one day. Media refers to all cardholder data contained in paper and electronic media.
PCI DSS Requirement 9 is concerned with controlling physical access to all systems in the cardholder data environment that stores, processes, or transmits cardholder data.
Let’s take a look at the sub-requirements in requirement 9.
PCI DSS Requirement 9.1: Use appropriate facility access controls to limit and monitor physical access to systems in the cardholder data environment.
Requirement 9.1 requires physical security audits for computer rooms, data centers and other fields containing cardholder data. Examples of physical security controls include badge readers or key-controlled access locks.
Unauthorized persons may potentially gain unauthorized access to the facility to steal, disable, disrupt or destroy critical systems and cardholder data in the absence of physical access controls such as badge systems and door controls.
Locking console login screens prevents unauthorized people from accessing sensitive information, changing system configurations, bringing security vulnerabilities to the network, or destroying records.
Also, system consoles should be locked when they are not used to prevent unauthorized access.
PCI DSS Requirement 9.1.1: Use video cameras or access control mechanisms to monitor individual physical access in sensitive areas. Review the collected data and associate it with other entries. Retain data for at least three months unless otherwise required by law.
These controls will help identify physical entry and exit, as well as individuals who have physical access to sensitive areas.
Criminals trying to gain physical access to sensitive areas will often try to disable or bypass surveillance controls. Video cameras can be positioned inaccessibly to protect these controls from being disabled. Besides, these systems can be monitored to detect any attempt at intervention and deactivation.
Similarly, access control mechanisms can be monitored or have additional physical protection to prevent them from being damaged or disabled by malicious individuals.
“Sensitive areas” means any data center, server room, or any area that hosts systems that store, process, or transmit cardholder data. Sensitive regions do not cover public areas where only point-of-sale terminals are located, such as cashier areas in a retail store.
Sensitive areas must be defined by each organization to ensure that appropriate physical monitoring controls are implemented.
PCI DSS Requirement 9.1.2: Perform physical or logical controls to restrict access to public network ports.
Restricting access to network ports prevents malicious individuals from accessing internal network resources by connecting to ready-made network ports. It will be sufficient to use logical or physical controls, or a combination of both, to prevent a person or device not explicitly authorized from connecting to the network.
For example, network ports in areas that are accessible to visitors can be disabled and enabled only if access to the network is explicitly authorized. Alternatively, processes can be implemented in areas with active network ports to ensure that visitors accompany the authorized staff.
PCI DSS Requirement 9.1.3: Restrict physical access to wireless access points, gateways, handsets, network/communications equipment and telecommunication lines.
In the absence of any access restrictions on wireless components and devices, malicious users can use an organization’s wireless devices to access network resources or connect their devices to the wireless network to gain unauthorized access.
Also, securing networking and communications hardware prevents malicious users from monitoring network traffic or physically connecting their own devices to wired network resources.
PCI DSS Requirement 9.2: Develop procedures to distinguish between on-site staff and visitors easily
Authorized visitors must first be identified so that they can be easily distinguished from on-site staff. Identification prevents unauthorized visitors from granting access to areas containing cardholder data.
The procedures to be implemented should include the following:
- Identify on-site staff and visitors (for example, assigning badges)
- It should be easy to distinguish between on-site staff and visitors.
- Visitors should be clearly defined.
- Changes in access requirements
- Revoke or terminate on-site personnel and expired visitor ID (such as ID cards).
PCI DSS Requirement 9.3: Control physical access to sensitive areas for on-site personnel
Controlling physical access to sensitive areas only helps to provide authorized personnel with legitimate business needs. After the staff leave the organization, all physical access mechanisms should be withdrawn or disabled as soon as possible so that they are physically unable to access sensitive areas.
Physical access to on-site personnel to sensitive areas should include:
- Access should be empowered and based on individual business function.
- Access should be canceled immediately after termination.
- All physical access mechanisms, such as keys and access cards, must be returned or disabled.
PCI DSS Requirement 9.4 1-4: Follow procedures to identify and empower visitors.
Visitor controls are essential to reduce the ability of unauthorized and malicious individuals to access facilities and potentially cardholder data. Visitor controls enable visitors to be identified as visitors. As a result, staff can monitor visitor activities and restrict access to legitimate visits only.
Ensuring that visitors’ badges are returned after the visit is over or completed prevents malicious persons from using previously allowed tools to gain physical access to the building after the visit is over.
A visitor log must be kept, documenting the minimum information about the visitor. In this way, these records will help determine physical access to a building or room and potential access to cardholder data.
Procedures to be established to identify and empower visitors should include:
- Visitors must be empowered and accompanied before entering areas where cardholder data is processed or protected.
- After the visitors are identified, a badge or other identity that expires and visually separates the visitors from the on-site staff should be given.
- Visitors should be asked to deliver the badge or ID before leaving the facility or on the expiration date.
- The visitor log is used to keep a physical audit trail of visitor activity to the computer rooms and data centers where cardholder data is stored or transmitted.
- The name of the visitor, the company represented, and on-site personnel who have physical access to the journal must be documented. The visitor journal must be kept for at least three months unless otherwise required by law.
PCI DSS Requirement 9.5: Physically secure all environments.
Physical media protection controls are designed to prevent unauthorized persons from accessing cardholder data on any media.
Cardholder data can be read, copied or illegally scanned if it is unprotected, printed or left on someone’s desk while in a removable or portable environment. It is, therefore, crucial to protect all environments physically.
PCI DSS Requirement 9.5.1: Store media backups in a safe place, preferably outside a facility such as an alternative or backup site, or at a commercial storage facility. Review the security of the location at least once a year.
If media backups are stored in an unsafe place, backups containing cardholder data can easily be lost, stolen or copied for malicious purposes. Periodic review of the storage facility will minimize potential risk by allowing the organization to address identified security issues promptly.
PCI DSS Requirement 9.6: Have strict control over the internal or external distribution of any media.
Audit procedures established by the organization helps protect cardholder data in environments that are distributed to internal or external users. Without such policies, data may be lost, stolen or used for fraudulent purposes.
PCI DSS Requirement 9.6.1: Classify media so that the sensitivity of the data is determined.
It is essential to define the classification status of the media so that it can be easily noticed. Media that are not identified as private may not be adequately protected, lost or stolen.
The aim is not that all media have a “Secret” tag. The organization should identify and determine the degree of sensitivity to media protection that contains sensitive data.
PCI DSS Requirement 9.6.2: Send media by a secure courier or other delivery methods that can be tracked accurately.
If media is sent in an untraceable way, like regular mail, loss or theft may occur. Secure couriers should be used to transport any media containing cardholder data. In this way, the organization can know and track the location of its shipments by using monitoring systems.
PCI DSS Requirement 9.6.3: Make sure management approves all media that are moved from a secure area.
All media movements must be approved by management before the media is removed from safe areas. In this way, the transported media can be monitored, protected appropriately and tracked by knowing its location.
With the additional approval process, the media can be assigned to authorized people and taken under control.
PCI DSS Requirement 9.7 -1: Have strict control over media storage and accessibility.
In the absence of careful inventory methods and storage controls, stolen or missing media may not be noticed for an indefinite period. If the media inventory is not kept, the media have stolen or lost may not be noticed for a long time or at all.
For this reason, inventory logs of all media should be appropriately maintained, and media inventories should be checked and reviewed at least once a year.
PCI DSS Requirement 9.8 1-2: Safely dispose of media when it is no longer needed for business or legal reasons.
Malevolent people may receive information from media that has been destroyed to cause data security impairment if no action is taken before destroying information on hard drives, portable drives, CD / DVDs, or paper.
For example, malicious people can search by recycling trash bins and find information that they can use to initiate an attack. Securing the storage containers used for materials to be destroyed prevents sensitive information from being collected as the materials are ordered.
For example, a lock may be used to prevent the contents of containers identified from being broken down or physically prevented from accessing the container. As an example of methods for the safe destruction of the electronic environment; techniques such as secure deletion, demagnetization or physical destruction may be used.
Printed copy materials must be crushed, burned or pulverized in such a way that cardholder data cannot be restructured. Also, safe storage containers for materials to be destroyed should be used.
Cardholder data must be rendered non-recoverable and non-recyclable to electronic media so that cardholder data cannot be reproduced.
Media destruction policy should be established and should cover all media. Policies and procedures should define the following requirements:
- Printed materials must be transversely cut, burned or pulped so that they cannot be restructured.
- Storage containers used for materials to be destroyed must be securely protected.
- Cardholder data on electronic media should be rendered unrecoverable.
- A secure erase program that complies with industry-accepted standards must be used, or the media must be physically destroyed.
PCI DSS Requirement 9.9: Protect devices receiving payment card data from tampering and replacement by direct physical interaction.
This requirement applies to card-reading devices used in card transactions at the point of sale. This requirement is not intended to be applied to manual key input components such as computer keyboards and POS keypads.
Criminals try to steal cardholder data by stealing or manipulating card reader devices and terminals. For example, criminals can steal devices and learn how to work so that they can install malicious software on them. Then, whenever a card is entered into the device, it can be replaced by fake devices that send payment card information.
Criminals may also try to add different components outside of the devices designed to capture payment card details before entering the device. For example, by adding card reader to the card reader, payment card information can be captured twice, once the criminal component and then the legal component of the device.
In this way, the criminal can steal payment card information during the transaction, and the transaction can be completed without interruption.
Policies and procedures regarding devices receiving payment card data should include:
- Inventory list of devices should be kept.
- Devices should be checked periodically to prevent tampering or replacement.
- Staff should be adequately trained to recognize suspicious behavior and report tampering or replacement of devices.
PCI DSS Requirement 9.9.1: Keep an updated list of devices.
Keeping an up-to-date device list helps an organization track where the devices should be and quickly identify if a device is missing or lost.
The method of keeping the list of devices can be automated, kept in electronic or paper records. Details of mobile devices should include the location and name of the person to whom the device is assigned.
The device list should include the following:
- Make and model of the device.
- Device location
- Device serial number or other unique identification methods.
PCI DSS Requirement 9.9.2: Periodically inspect device surfaces to detect tampering or replacement.
Card skimmers can be added to devices that receive payment card data by attackers, or devices can be replaced with a rogue device. For this reason, device surfaces should be examined regularly by trained personnel.
Examples of signs that a device may have been tampered with or replaced include unexpected attachments or cables attached to the device, missing or altered security labels, changes to the broken or differently colored body or serial number, or other external signs.
Regular inspection of devices will help organizations detect a device’s tamper or replacement more quickly, thereby minimizing the potential impact of using fraudulent devices.
The review type may vary by device. For example, photos of devices known to be safe can be used to compare the current appearance of a device to its original appearance to see if it has changed. Another option would be to use a safe marker pen, such as a UV light marker, to mark device surfaces and device openings.
Thus, any tampering or replacement will be noticeable. Criminals can also usually change the outer casing of a device to hide their tampering. These methods will help identify such activities.
Device manufacturers can provide security guides to help you determine whether the device has been tampered with.
Frequency of examination may vary depending on factors such as location and type of device. For example, devices that are left unattended by the organization’s staff in public areas may be subject to more frequent inspections than appliances kept in safe areas and inspected.
The type and frequency of device inspections should be handled and defined in annual risk assessment processes.
PCI DSS Requirement 9.9.3: Train personnel to be aware that devices are being tampered with or attempted to be replaced.
Criminals will often pretend to be authorized maintenance personnel to access POS devices. All third parties requesting access to the devices must always be verified before accessing them.
For example, the necessary checks can be made by checking with management or by calling the POS maintenance company for verification. Many criminals try to deceive the staff by dressing as if they were an officer and carrying related tools.
Relevant personnel should, therefore, always be trained to follow the procedures. Staff should always verify to their manager or supplier that the device is legitimate and that it originates from a reliable source before it is installed or used for business purposes.
Training on the security of POS devices should include:
- Identities of third parties who claim to be repair or maintenance personnel must be verified before access to replacement or troubleshooting of devices.
- Devices must not be operated, replaced or returned without verification.
- It is necessary to be aware of suspicious behavior around the devices.
- Suspicious behavior and falsification or replacement of the device should be reported to appropriate personnel.
PCI DSS Requirement 9.10: Ensure that security policies and operational procedures to restrict physical access to cardholder data are documented, in use, and known to all affected parties.
Staff need to know and follow security policies and operational procedures to restrict physical access to cardholder data and CDE systems continually.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.