PCI compliance requirement 9: Physical access

PCI compliance requirement 9: Physical access

PCI compliance requirement 9: Physical access

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 9: "Restrict physical access to cardholder data." To meet PCI compliance requirement 9, you must:

  • Protect the physical facilities used for processing cardholder data

But what about cameras? Are they essential? Diana and Ed address other common questions related to PCI compliance requirement 9, including how to change a culture that is resistant to badges.

Watch the rest of the PCI compliance videos, which review what each particular requirement calls for.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 9: Physical access

Ed Moyle:        Welcome back. Just to give you a little bit of an overview as

to what we are going to be talking about this time around. We are going to

be talking about the PCI requirements themselves. We are going to step

through some of the requirements, or actually all of the requirements, and

hopefully address the common questions that both of us receive in our

various lines of work, then talk a little bit about some of the

compensating controls, and what you can do if you cannot meet a

requirement or a particular requirement.


The next requirement, Requirement 9: Physical access: In a nutshell, you

are just making sure that your physical facilities are protected -- you have

physical controls around your facilities. We hear a lot, 'Do we need to use

cameras?'  Yes, you do; it says specifically in there that you do have to

use cameras. A lot of firms, particularly in the SMB, smaller firms, might

not necessarily have cameras in place. You need to use them, it is there.

'Our culture is resistant to badges,' that is something we

hear a lot too. Unfortunately, it is hard to satisfy the requirements

without using a badging system of some type. You can get creative and try

to get around it, but the easy way to satisfy that is badges. 'Does it

apply to retail locations?' Sometimes, but not usually.  'Do you have to

have a guard, a camera, that is on folks as they eat at a fast food joint?'

Obviously, that is not the intent of the requirement. The intent is to

safeguard the systems that store, process, and transmit the actual

cardholder data itself.


Diana Kelley:      I like eating when I am guarded. Another thing that Ed was talking about:

take a look at, can you do centralized processing and where

those payment servers are because that is going to, you have that physical

access, strong physical access requirements around where the payment

servers are and where you are storing the information, not necessarily at

the point of sale, so look at centralizing it as much as possible. For your

quick hits, again, you want policy, and you want to document. Look at a

visitor log going in and out of the data centers where you have got the

payment centers, and yes, badges, and yes, cameras for the areas where you

actually have the servers.


Ed Moyle:        And network jacks. A lot of folks forget the specific

requirements for network jacks. If you have an open area and you have a

network jack there, just make sure that it is not a live one that somebody

could walk up and plug something into.


More on Two-Factor and Multifactor Authentication Strategies

  • canderson

    Will online authentication ever be free of passwords?

    VIDEO - Will online authentication ever be password-free? The webcast reviews the problems of online authentication and considers a passwordless future.
  • canderson

    John Pescatore: Evasion techniques aiding advanced targeted attacks

    VIDEO - Video: SANS Institute's John Pescatore says though new evasion techniques are aiding advanced targeted attacks, defense matters as much as response.
  • canderson

    Get up to speed on FIDO Alliance efforts to secure online authentication

    VIDEO - In this webcast, expert David Strom reviews what FIDO Alliance efforts mean for online authentication methods.
  • keystroke ID (keystroke identification)

    Definition - The use of an individual's distinctive typing dynamics can be used as a non-intrusive and reliable form of biometric authentication.
  • strong authentication

    Definition - Although it is not a standardized term, with set criteria, strong authentication can be said to be any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.
  • Quiz: multifactor authentication

    Quiz - How well do you understand multifactor authentication and the authentication factors that support it? Take our quiz to find out.
  • Words to Go: Multifactor authentication

    Reference - Multifactor authentication is one approach to ensuring that only authorized users have access to resources. Our Words-To-Go glossary provides brief explanations to the essential MFA terminology, with links to our full definitions for more in-depth information.
  • How is Internet authentication changing?

    Quiz - You've reviewed the webcast, tip and podcast. So: Are you ready for the way Internet authentication practices will be changing? Take this quiz and see.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: