Timeline for PCI DSS 4.0: The Ninth Requirement and Physical Access Security

pci dss 4.0 featured

When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic.

This article will discuss this requirement and exactly what it means to approach the physical security of systems containing cardholder data in compliance with PCI DSS.


What Is Physical Security in Cyber Defense?

When we think of hackers, we often think of faceless attackers online or behind email phishing campaigns, trying to compromise authentication or network security. However, many successful attacks will come from insider threats (especially when internal personnel aren’t adequately monitored) or old-fashioned social engineering. Many cases have been where entire systems have been compromised simply because a laptop with user credentials was stolen from a public space. 

Physical security includes some of the following measures and controls:

  • Securing Physical Locations: Data centers, servers, and any room or location which might contain sensitive data should be secured against the unauthorized entrance. This can include basic door locks or, in more advanced cases, card entry authorization, fingerprint authorization, or keycard scanners.
  • Monitoring and Logging Visitors: Any individuals entering the premises, particularly any location where they could gain access to cardholder information, should be logged and tracked through their visit. This includes any logging needed when entering secure areas.
  • Surveillance: Security cameras can record where visitors and other individuals move throughout a building. Along with security personnel, you can prevent access to sensitive areas or use video for forensic purposes in cases of a breach.
  • Device Security: All workstations, including tablets, laptops, or mobile phones. should be secured from access if they contain either sensitive information or credentials to connect to systems with such data. This can include on-device locks or designated, secure spaces (locked storage rooms, lockers, etc.).
  • Records Security and Disposal: Whenever your organization has any removable media or hard copies of cardholder data, you must ensure that the media is secured (much like devices) or adequately destroyed.


What Is the Ninth Requirement for PCI DSS 4.0?

pci dss 4.0

Covering physical security, the ninth requirement details how organizations utilizing cardholder data must secure any physical space where that information, or IT infrastructure holding and information, is maintained. 

9.1 – Processes and Mechanisms for Restricting Physical Access to Cardholder Data

  • Policies and Procedures: All policies and procedures for securing physical devices and environments must be defined, documented, and regularly updated.
  • Roles and Responsibilities: Responsibility for managing physical security should be invested in a compliance and security infrastructure, well-defined and recorded for auditing and accountability purposes. 


9.2 – Physical Access Controls Manage Entry into Facilities

  • Entry Controls: An organization must maintain control of all entry points, including entry points to sensitive areas. Physical access to entry and exit points leading to areas containing Cardholder Data Environments (CDE) must be monitored, and these monitoring devices must be protected against tampering. Additionally, data collected from monitoring devices are regularly reviewed and maintained in storage for at least three months.
  • Network Access: Any physical network access jacks must be secured from public use.
  • Consoles and Workstations: All consoles and workstations must be secured from physical access by the public or unauthorized users.


9.3 – Physical Access for Personnel and Visitors

  • Authorizing Personnel: Access to sensitive areas is controlled with proper authorization controls based on an individual’s job function. This access is revoked immediately upon termination, and all access devices (keys, cards, etc.) are retrieved or disabled.
  • Procedures for Authorizing Visitors: Any visitor entering premises containing a CDE must be authorized before entering, under escort for the duration of their visit, and maintain clear identification (via visitor identification badge) that is distinct from employee identification.
  • Visitor Identification: Any badge given to a visitor is collected upon leaving the facility.
  • Visitor Logs: Visitor logs should be maintained, containing visitors’ names, organization, the date and time of the visit, and the name of the authorizing employee. These logs should be kept for a minimum of three months.


9.4 – Media with Cardholder Data is Secured

  • On-Premises Security: All media containing cardholder data must be physically secured, including offline backups. Security of offline backups must be reviewed at least annually.
  • Information Media Security: All media should come with a classification of security based on the sensitivity of the information stored.
  • Logs and Approval Outside of Facility: The organization should log media sent outside a CDE or containing the facility. Furthermore, this media should only be sent by secured couriers with tracking, and that location tracking is included with media logs. Finally, all physical movement of storage media containing cardholder data outside of the organization must be approved by management.
  • Hard Copies of Data: Any hard copies (printed or photocopied information) of cardholder data must be destroyed when there are no longer any business needs. This includes either cross-cut shredding, incinerating, or pulping the copies. Before destruction, these documents must be stored securely.
  • Electronic Copies of Data: Electronic records are destroyed when no longer needed, either by destroying the electronic media or rendering the information on the media unreadable (for example, sanitizing a hard drive). 


9.5 – Point of Interaction Devices are Protected from Tampering

  • Securing POI Devices: Any device that captures card information physically (for example, card scanners at the point of sale), must be protected from tampering. This includes maintaining a list of all POI devices, running periodic inspections of these devices, and training employees to recognize signs of tampering.
  • Inventories of POI Devices: The organization must maintain an up-to-date inventory of POI devices, including the make and model, location, and serial number of that device for auditing purposes.


Prepare for PCI DSS 4.0 with Lazarus Alliance

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now. 


Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form.

Lazarus Alliance