PCI DSS Requirement 9: Restrict Physical Access to Cardholder Data

While many organizations may prioritize the digital security measures needed to protect cardholder data, physical securities shouldn’t be forgotten. All physical access to cardholder data (or systems that interact with it) must be restricted to ensure the integrity of the data.

Any person with access to systems that store, process, or transmit cardholder data has the opportunity to alter configurations, introduce vulnerabilities, or even destroy equipment. Therefore, maintaining strict logs of who accesses which systems and secure locations, at all times, will help prevent nefarious actions and identify responsible parties should a breach occur.

For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.

Requirement 9 Details and Sections

Requirement 9 contains five sections that detail the means of securing physical access to systems.

Detailed requirement sections include:

• Requirement 9.1: Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
• Requirement 9.2: Physical access controls manage entry into facilities and systems containing cardholder data.
• Requirement 9.3: Physical access for personnel and visitors is authorized and managed.
• Requirement 9.4: Media with cardholder data is securely stored, accessed, distributed, and destroyed.
• Requirement 9.5: Point of interaction (POI) devices are protected from tampering and unauthorized substitution. 

Requirement 9.1: Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

Like other requirements found in PCI DSS 4.0, the first section of the requirement - 9.1 - explains the importance of creating and maintaining policies for adherence. These processes must be constantly monitored and updated whenever required, and all involved personnel must understand their responsibilities.

Detailed requirement sections include:

• Requirement 9.1.1: All security policies and operational procedures that are identified in Requirement 9 are documented, up-to-date, in use, and known to all affected parties.
• Requirement 9.1.2: Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. 

Requirement 9.2: Physical access controls manage entry into facilities and systems containing cardholder data.

Without physical access controls, unauthorized individuals could gain access to the CDE and sensitive information, or could alter system configurations, introduce vulnerabilities into the network, or destroy or steal equipment. Therefore, this requirement outlines how physical access to the CDE is controlled via physical security controls such as badge readers or other mechanisms such as lock and key. 

Specifically, maintaining details of individuals entering and exiting sensitive areas can help with investigations by identifying anyone that physically accessed the sensitive areas, as well as when they entered and exited. 

Detailed requirement sections include:

• Requirement 9.2.1: Appropriate facility entry controls are in place to restrict physical access to systems in the CDE. 
  • Requirement 9.2.1.1: Individual physical access to sensitive areas within the CDE is monitored with video cameras, physical access control mechanisms, or both as follows:
    • Entry and exit points to/from sensitive areas within the CDE are monitored.
    • Monitoring devices are protected from tampering or disabling.
    • Collected data is reviewed and correlated with other entries.
    • Collected data is stored for at least three months, unless otherwise restricted by law. 
• Requirement 9.2.2: Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.
• Requirement 9.2.3: Physical access to wireless access points, gateways, networking hardware, and telecommunication lines within the facility is restricted.
• Requirement 9.2.4: Access to consoles in sensitive areas is restricted via locking when not in use.
  
  

Requirement 9.3: Physical access for personnel and visitors is authorized and managed.

Individuals’ access to sensitive cardholder data should be restricted, reviewed frequently, and updated as necessary - for instance, access is revoked for terminated personnel. Devices used to authenticate access to such physical locations should easily distinguish and identify the individual using them, and should be surrendered and deactivated upon termination. 

Detailed requirement sections include:

• Requirement 9.3.1: Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including:
  • Identifying personnel.
  • Managing changes to an individual’s physical access requirements.
  • Revoking or terminating personnel identification.
  • Limiting access to the identification process or system to authorized personnel. 
• Requirement 9.3.1.1: Physical access to sensitive areas within the CDE for personnel is controlled as follows:
  • Access is authorized and based on individual job function.
  • Access is revoked immediately upon termination.
  • All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination. 
• Requirement 9.3.2: Procedures are implemented for authorizing and managing visitor access to the CDE, including:
  • Visitors are authorized before entering.
  • Visitors are escorted at all times.
  • Visitors are clearly identified and given a badge or other identification that expires.
  • Visitor badges or other identification visibly distinguishes visitors from personnel. 
• Requirement 9.3.3: Visitor badges or identification are surrendered or deactivated before visitors leave the facility, or at the date of expiration. 

Requirement 9.4: Media with cardholder data is securely stored, accessed, distributed, and destroyed.

Companies should always destroy information on electronic devices when no longer needed, both from a hygiene and a security standpoint. Likewise, any facility where devices contain sensitive cardholder data should be appropriately secured and provide designated secured locations for such devices.

Detailed requirement sections include:

• Requirement 9.4.1: All media with cardholder data is physically secured. 
  • Requirement 9.4.1.1: Offline media backups with cardholder data are stored in a secure location. 
  • Requirement 9.4.1.2: The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
• Requirement 9.4.2: All media with cardholder data is classified in accordance with the sensitivity of the data. 
• Requirement 9.4.3: Media with cardholder data sent outside the facility is secured as follows:
  • Media sent outside the facility is logged.
  • Media is sent by secured courier or other delivery method that can be accurately tracked.
  • Offsite tracking logs include details about media location. 
• Requirement 9.4.4: Management approves all media with cardholder data that is moved outside the facility.
• Requirement 9.4.5: Maintain Inventory logs of all electronic media with cardholder data.
  • Requirement 9.4.5.1: Inventories of electronic media with cardholder data are conducted at least every 12 months. 
• Requirement 9.4.6: Hard copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
  • Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
  • Materials are stored in secure storage containers prior to destruction.

• Requirement 9.4.7: Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons and the cardholder data is rendered unrecoverable so that it cannot be reconstructed.

Requirement 9.5: Point of interaction (POI) devices are protected from tampering and unauthorized substitution. 

Regular inspections of external devices will help organizations detect tampering more quickly and will create opportunities for these organizations to minimize the potential impact that could be inflicted. This is especially important when a device has been accessed by a third party for maintenance or repair, as such devices could be at higher risk of compromise.

Detailed requirement sections include:

• Requirement 9.5.1: POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including:
  • Maintaining a list of POI devices.
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution.
  • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.
  • Requirement 9.5.1.1: An up-to-date list of POI devices is maintained, including make and model, location, and serial number of the device.
  • Requirement 9.5.1.2: POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.
    • Requirement 9.5.1.2.1: The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis.
• Requirement 9.5.1.3: Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:
  • Verifying the identity of any third-party persons claiming to be repair personnel before granting them access to modify or troubleshoot devices.
  • Procedures to ensure devices are not installed, replaced, or returned without verification.
  • Being aware of suspicious behavior around devices.
  • Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel. 

How Basis Theory can help you Satisfy PCI DSS Requirement 9

Securing cardholder data in a CDE satisfies many PCI DSS requirements and provides companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.

As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.

*PCI DSS Requirement information contained in this post is for educational purposes only and references material from the guide "Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0" published by the PCI SSC in March 2022. Please refer to the PCI Security Standards Council website for the complete, up-to-date, accurate requirements.