That is the problem with trying to answer a fairly generic question about the PCI DSS. Every auditor has his or her own interpretation of the PCI compliance requirements and, in turn, what suffices for compliance. Thus, I can't answer the question with any level of precision without actually seeing the specific server rooms and understanding the other physical defenses that are in place to protect the servers.
To be clear, PCI DSS requirement 9 requires "appropriate facility entry controls to limit and monitor physical acdcess to systems that store, process, or transmit cardholder data." The most important word in that statement is "appropriate" because that is where all the wiggle room is. What's appropriate tends to be in the eyes of the beholder.
In my opinion, having a camera outside of the server room, which records with an unalterable time stamp who enters and exits the room, and then having sufficiently detailed log records pertaining to changes made on the servers and cardholder data access is enough. But again, that is my opinion.
It's not really practical to try to put a camera on servers that "fall under PCI." With virtualization continuing to proliferate in data centers around the world, an organization can't really be specific anymore relative to what server is doing which tasks. The applications and data that run on a specific physical enclosure can -- and will -- change frequently.
That's why requirements 9 and 10 need to be handled with close coordination. You need to be able to pull log records of server changes and data access. Correlating the log files with physical access and video information can provide a pretty good idea about who did what and when.
Relative to the PIN and/or password-based locks, again the answer depends on each organization's unique situation. Personally, that seems like overkill to me. If I have the servers in a physically secure location and I'm monitoring access to the server room and taking log data from any activity on those servers and the applications that run on the servers, it seems that auditable locks wouldn't add much in terms of meeting PCI requirements.
If I were your auditor, that would be my position. But I'm not, so do what you can and be able to defend your decisions -- whether that's deploying cameras, locks, or any other controls meant to specifically comply with PCI.
For more information:
This was first published in December 2007