PCI compliance requirement 9: Physical access

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 9: "Restrict physical access to cardholder data." To meet PCI compliance requirement 9, you must:

  • Protect the physical facilities used for processing cardholder data

But what about cameras? Are they essential? Diana and Ed address other common questions related to PCI compliance requirement 9, including how to change a culture that is resistant to badges.

Watch the rest of the PCI compliance videos, which review what each particular requirement calls for.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 9: Physical access

Ed Moyle:        Welcome back. Just to give you a little bit of an overview as

to what we are going to be talking about this time around. We are going to

be talking about the PCI requirements themselves. We are going to step

through some of the requirements, or actually all of the requirements, and

hopefully address the common questions that both of us receive in our

various lines of work, then talk a little bit about some of the

compensating controls, and what you can do if you cannot meet a

requirement or a particular requirement.


The next requirement, Requirement 9: Physical access: In a nutshell, you

are just making sure that your physical facilities are protected -- you have

physical controls around your facilities. We hear a lot, 'Do we need to use

cameras?'  Yes, you do; it says specifically in there that you do have to

use cameras. A lot of firms, particularly in the SMB, smaller firms, might

not necessarily have cameras in place. You need to use them, it is there.

'Our culture is resistant to badges,' that is something we

hear a lot too. Unfortunately, it is hard to satisfy the requirements

without using a badging system of some type. You can get creative and try

to get around it, but the easy way to satisfy that is badges. 'Does it

apply to retail locations?' Sometimes, but not usually.  'Do you have to

have a guard, a camera, that is on folks as they eat at a fast food joint?'

Obviously, that is not the intent of the requirement. The intent is to

safeguard the systems that store, process, and transmit the actual

cardholder data itself.


Diana Kelley:      I like eating when I am guarded. Another thing that Ed was talking about:

take a look at, can you do centralized processing and where

those payment servers are because that is going to, you have that physical

access, strong physical access requirements around where the payment

servers are and where you are storing the information, not necessarily at

the point of sale, so look at centralizing it as much as possible. For your

quick hits, again, you want policy, and you want to document. Look at a

visitor log going in and out of the data centers where you have got the

payment centers, and yes, badges, and yes, cameras for the areas where you

actually have the servers.


Ed Moyle:        And network jacks. A lot of folks forget the specific

requirements for network jacks. If you have an open area and you have a

network jack there, just make sure that it is not a live one that somebody

could walk up and plug something into.


View All Videos

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

if we take a card over the teller line into another room for cash advances off cc - should those machines be changed?