PCI-DSS and the need for Physical Access Controls

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment globally.

PCI DSS provides a baseline of technical and operational requirements designed to protect account data and applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and / or sensitive authentication data (SAD).

There are 12 PCI DSS requirements that must be met for compliance and Requirement 9 specifcally addresses physical access restrictions to card holder data.

PCI-DSS 3.2

Digitus and PCI-DSS Requirement 9 – Restrict physical access to cardholder data

The Digitus Access Solution helps to ensure that any and all access is appropriately controlled and monitored. It is critical to understand that any physical access to data or systems that house cardholder data provides an individual with the opportunity to access devices or data and ultimately to remove systems or printed hardcopies.

For the purposes of Requirement 9:

  • “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises.
  • A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day.
  • “Media” refers to all paper and electronic media containing cardholder data.

PCI-DSS Requirements

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

Testing Procedures

9.1 Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Verify that access is controlled with badge readers or other devices including authorized badges and lock and key. Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder data environment and verify that they are “locked” to prevent unauthorized use.

Guidance

Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. Locking console login screens prevents unauthorized persons from gaining access to sensitive information, altering system configurations, introducing vulnerabilities into the network, or destroying record.

PCI-DSS Requirements

9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

Note: “Sensitive areas” refer to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of sale terminals are present, such as the cashier areas in a retail store.

Testing Procedures

9.1.1.a Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas.

9.1.1.b Verify that either video cameras or access control mechanisms (or both) are protected from tampering or disabling

Guidance

When investigating physical breaches these controls can help identify the individuals that physically accessed the sensitive areas, as well as when they entered and exited.

Criminals attempting to gain physical access to sensitive areas will often attempt to disable or bypass the monitoring controls.

To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be monitored to detect tampering.

Similarly, access control mechanisms could be monitored or have physical protections installed to prevent them being damaged or disabled by malicious individuals.