PCI compliance requirement 9: Physical access

PCI compliance requirement 9: Physical access

PCI compliance requirement 9: Physical access

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 9: "Restrict physical access to cardholder data." To meet PCI compliance requirement 9, you must:

  • Protect the physical facilities used for processing cardholder data

But what about cameras? Are they essential? Diana and Ed address other common questions related to PCI compliance requirement 9, including how to change a culture that is resistant to badges.

Watch the rest of the PCI compliance videos, which review what each particular requirement calls for.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 9: Physical access

Ed Moyle:        Welcome back. Just to give you a little bit of an overview as

to what we are going to be talking about this time around. We are going to

be talking about the PCI requirements themselves. We are going to step

through some of the requirements, or actually all of the requirements, and

hopefully address the common questions that both of us receive in our

various lines of work, then talk a little bit about some of the

compensating controls, and what you can do if you cannot meet a

requirement or a particular requirement.


The next requirement, Requirement 9: Physical access: In a nutshell, you

are just making sure that your physical facilities are protected -- you have

physical controls around your facilities. We hear a lot, 'Do we need to use

cameras?'  Yes, you do; it says specifically in there that you do have to

use cameras. A lot of firms, particularly in the SMB, smaller firms, might

not necessarily have cameras in place. You need to use them, it is there.

'Our culture is resistant to badges,' that is something we

hear a lot too. Unfortunately, it is hard to satisfy the requirements

without using a badging system of some type. You can get creative and try

to get around it, but the easy way to satisfy that is badges. 'Does it

apply to retail locations?' Sometimes, but not usually.  'Do you have to

have a guard, a camera, that is on folks as they eat at a fast food joint?'

Obviously, that is not the intent of the requirement. The intent is to

safeguard the systems that store, process, and transmit the actual

cardholder data itself.


Diana Kelley:      I like eating when I am guarded. Another thing that Ed was talking about:

take a look at, can you do centralized processing and where

those payment servers are because that is going to, you have that physical

access, strong physical access requirements around where the payment

servers are and where you are storing the information, not necessarily at

the point of sale, so look at centralizing it as much as possible. For your

quick hits, again, you want policy, and you want to document. Look at a

visitor log going in and out of the data centers where you have got the

payment centers, and yes, badges, and yes, cameras for the areas where you

actually have the servers.


Ed Moyle:        And network jacks. A lot of folks forget the specific

requirements for network jacks. If you have an open area and you have a

network jack there, just make sure that it is not a live one that somebody

could walk up and plug something into.


More on Two-Factor and Multifactor Authentication Strategies

  • canderson

    John Pescatore: Evasion techniques aiding advanced targeted attacks

    VIDEO - Video: SANS Institute's John Pescatore says though new evasion techniques are aiding advanced targeted attacks, defense matters as much as response.
  • canderson

    Get up to speed on FIDO Alliance efforts to secure online authentication

    VIDEO - In this webcast, expert David Strom reviews what FIDO Alliance efforts mean for online authentication methods.
  • canderson

    PayPal CISO hopes FIDO Alliance can help replace weak passwords

    VIDEO - Video: PayPal CISO Michael Barrett discusses the FIDO Alliance launch and how the open standard for online authentication might help replace weak passwords.
  • possession factor

    Definition - The possession factor, in a security context, is a category of user authentication credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software token.
  • knowledge factor

    Definition - The knowledge factor, in a security context, is a category of authentication credentials consisting of information that the user possesses, such as a personal identification number (PIN), a user name, a password or the answer to a secret question.
  • user authentication

    Definition - User authentication is the verification of an active human-to-machine transfer of credentials required for confirmation of a user’s authenticity; the term contrasts with machine authentication, which involves automated processes that do not require user input.
  • Multifactor authentication products: SafeNet Authentication Service

    Feature - Expert contributor David Strom takes readers through the ins and outs of this SaaS-based multifactor authentication solution for boosting login security.
  • Multifactor authentication products: SecureAuth IdP v8.0

    Feature - Expert David Strom looks at how Secure Auth IdP uniquely combines multifactor authentication and single sign-on login capabilities in a single product.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: