PCI compliance requirement 9: Physical access

PCI compliance requirement 9: Physical access

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 9: "Restrict physical access to cardholder data." To meet PCI compliance requirement 9, you must:

  • Protect the physical facilities used for processing cardholder data

But what about cameras? Are they essential? Diana and Ed address other common questions related to PCI compliance requirement 9, including how to change a culture that is resistant to badges.

Watch the rest of the PCI compliance videos, which review what each particular requirement calls for.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 9: Physical access

Ed Moyle:        Welcome back. Just to give you a little bit of an overview as

to what we are going to be talking about this time around. We are going to

be talking about the PCI requirements themselves. We are going to step

through some of the requirements, or actually all of the requirements, and

hopefully address the common questions that both of us receive in our

various lines of work, then talk a little bit about some of the

compensating controls, and what you can do if you cannot meet a

requirement or a particular requirement.


The next requirement, Requirement 9: Physical access: In a nutshell, you

are just making sure that your physical facilities are protected -- you have

physical controls around your facilities. We hear a lot, 'Do we need to use

cameras?'  Yes, you do; it says specifically in there that you do have to

use cameras. A lot of firms, particularly in the SMB, smaller firms, might

not necessarily have cameras in place. You need to use them, it is there.

'Our culture is resistant to badges,' that is something we

hear a lot too. Unfortunately, it is hard to satisfy the requirements

without using a badging system of some type. You can get creative and try

to get around it, but the easy way to satisfy that is badges. 'Does it

apply to retail locations?' Sometimes, but not usually.  'Do you have to

have a guard, a camera, that is on folks as they eat at a fast food joint?'

Obviously, that is not the intent of the requirement. The intent is to

safeguard the systems that store, process, and transmit the actual

cardholder data itself.


Diana Kelley:      I like eating when I am guarded. Another thing that Ed was talking about:

take a look at, can you do centralized processing and where

those payment servers are because that is going to, you have that physical

access, strong physical access requirements around where the payment

servers are and where you are storing the information, not necessarily at

the point of sale, so look at centralizing it as much as possible. For your

quick hits, again, you want policy, and you want to document. Look at a

visitor log going in and out of the data centers where you have got the

payment centers, and yes, badges, and yes, cameras for the areas where you

actually have the servers.


Ed Moyle:        And network jacks. A lot of folks forget the specific

requirements for network jacks. If you have an open area and you have a

network jack there, just make sure that it is not a live one that somebody

could walk up and plug something into.


More on Two-Factor and Multifactor Authentication Strategies

  • canderson

    John Pescatore: Evasion techniques aiding advanced targeted attacks

    VIDEO - Video: SANS Institute's John Pescatore says though new evasion techniques are aiding advanced targeted attacks, defense matters as much as response.
  • canderson

    Get up to speed on FIDO Alliance efforts to secure online authentication

    VIDEO - In this webcast, expert David Strom reviews what FIDO Alliance efforts mean for online authentication methods.
  • canderson

    PayPal CISO hopes FIDO Alliance can help replace weak passwords

    VIDEO - Video: PayPal CISO Michael Barrett discusses the FIDO Alliance launch and how the open standard for online authentication might help replace weak passwords.
  • TAN (transaction authentication number)

    Definition - A transaction authentication number (TAN) is a type of single-use password used for an online banking transaction in conjunction with a standard ID and password. TANs are often in a list made by a financial institution and sent to the owner of the account.
  • Amazon Workspaces gets MFA security update

    News - Amazon Web Services has added multifactor authentication to its WorkSpaces cloud desktop service, the first step in a larger effort to bolster AWS security.

    ( Aug 13, 2014 )

  • out-of-band authentication

    Definition - Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password. Out-of-band authentication is often used in financial institutions and other organizations with high security requirements.
  • soft token

    Definition - A soft token is a software-based security token that generates a single-use login PIN. Traditionally, a security token has been a hardware device that produces a new, secure and individual PIN for each use and displays it on a built-in LCD display. Soft tokens are an attempt to replicate the security advantages of multifactor authentication, while simplifying distribution and lowering costs.
  • FIDO (Fast Identity Online)

    Definition - FIDO (Fast ID Online) is an open standard for a secure and easy-to-use universal authentication interface created to address the lack of interoperability among strong authentication devices. The FIDO standard supports multifactor authentication and strong features like biometrics.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: