Problem solve Get help with specific problems with your technologies, process and projects.

What is the best way to comply with PCI DSS requirements 9 and 10?

Security management expert Mike Rothman unveils how corporations can get compliant with PCI DSS guidelines, specifically requirements 9 and 10.

Our organization is attempting to deal with requirements 9 and 10 of the Payment Card Industry (PCI) Data Security Standard. Here are a couple questions we have:
  • To satisfy requirement 9.1.1, would a camera outside of the server room that shows everyone who enters the room (with a date/time stamp) be sufficient, or does the camera need to be fixed on the rack containing the specific servers affected by PCI?
  • To satisfy requirements 9 and 10, do server racks need to be equipped with auditable pin or password-based locks?
  • Before I delve into specifics, I'll relay what I heard from a few PCI auditors to whom I posed these questions. Their answer was a universal "it depends."

    That is the problem with trying to answer a fairly generic question about the PCI DSS. Every auditor has his or...

    her own interpretation of the PCI compliance requirements and, in turn, what suffices for compliance. Thus, I can't answer the question with any level of precision without actually seeing the specific server rooms and understanding the other physical defenses that are in place to protect the servers.

    To be clear, PCI DSS requirement 9 requires "appropriate facility entry controls to limit and monitor physical acdcess to systems that store, process, or transmit cardholder data." The most important word in that statement is "appropriate" because that is where all the wiggle room is. What's appropriate tends to be in the eyes of the beholder.

    In my opinion, having a camera outside of the server room, which records with an unalterable time stamp who enters and exits the room, and then having sufficiently detailed log records pertaining to changes made on the servers and cardholder data access is enough. But again, that is my opinion.

    It's not really practical to try to put a camera on servers that "fall under PCI." With virtualization continuing to proliferate in data centers around the world, an organization can't really be specific anymore relative to what server is doing which tasks. The applications and data that run on a specific physical enclosure can -- and will -- change frequently.

    That's why requirements 9 and 10 need to be handled with close coordination. You need to be able to pull log records of server changes and data access. Correlating the log files with physical access and video information can provide a pretty good idea about who did what and when.

    Relative to the PIN and/or password-based locks, again the answer depends on each organization's unique situation. Personally, that seems like overkill to me. If I have the servers in a physically secure location and I'm monitoring access to the server room and taking log data from any activity on those servers and the applications that run on the servers, it seems that auditable locks wouldn't add much in terms of meeting PCI requirements.

    If I were your auditor, that would be my position. But I'm not, so do what you can and be able to defend your decisions -- whether that's deploying cameras, locks, or any other controls meant to specifically comply with PCI.

    For more information:

  • In this tip, John Kindervag dispels the five biggest misunderstandings about PCI DSS.
  • Learn what to do if your corporation has missed the PCI DSS deadline.
  • This was last published in December 2007

    Dig Deeper on PCI Data Security Standard