Security Management Strategies for the CIOPCI compliance requirement 9: Physical access
Date: Jun 01, 2009Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 9: "Restrict physical access to cardholder data." To meet PCI compliance requirement 9, you must:
- Protect the physical facilities used for processing cardholder data
But what about cameras? Are they essential? Diana and Ed address other common questions related to PCI compliance requirement 9, including how to change a culture that is resistant to badges.
Watch the rest of the PCI compliance videos, which review what each particular requirement calls for.
Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:
- Version 1.2 of PCI DSS answers questions, raises others
- PCI version 1.2 clarifications: How to get an early start on compliance audits
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.
PCI compliance requirement 9: Physical access
Ed Moyle: Welcome back. Just to give you a little bit of an overview as
to what we are going to be talking about this time around. We are going to
be talking about the PCI requirements themselves. We are going to step
through some of the requirements, or actually all of the requirements, and
hopefully address the common questions that both of us receive in our
various lines of work, then talk a little bit about some of the
compensating controls, and what you can do if you cannot meet a
requirement or a particular requirement.
The next requirement, Requirement 9: Physical access: In a nutshell, you
are just making sure that your physical facilities are protected -- you have
physical controls around your facilities. We hear a lot, 'Do we need to use
cameras?' Yes, you do; it says specifically in there that you do have to
use cameras. A lot of firms, particularly in the SMB, smaller firms, might
not necessarily have cameras in place. You need to use them, it is there.
'Our culture is resistant to badges,' that is something we
hear a lot too. Unfortunately, it is hard to satisfy the requirements
without using a badging system of some type. You can get creative and try
to get around it, but the easy way to satisfy that is badges. 'Does it
apply to retail locations?' Sometimes, but not usually. 'Do you have to
have a guard, a camera, that is on folks as they eat at a fast food joint?'
Obviously, that is not the intent of the requirement. The intent is to
safeguard the systems that store, process, and transmit the actual
cardholder data itself.
Diana Kelley: I like eating when I am guarded. Another thing that Ed was talking about:
take a look at, can you do centralized processing and where
those payment servers are because that is going to, you have that physical
access, strong physical access requirements around where the payment
servers are and where you are storing the information, not necessarily at
the point of sale, so look at centralizing it as much as possible. For your
quick hits, again, you want policy, and you want to document. Look at a
visitor log going in and out of the data centers where you have got the
payment centers, and yes, badges, and yes, cameras for the areas where you
actually have the servers.
Ed Moyle: And network jacks. A lot of folks forget the specific
requirements for network jacks. If you have an open area and you have a
network jack there, just make sure that it is not a live one that somebody
could walk up and plug something into.