PCI requirement 9 is all about physical security.
Did you know that most theft of equipment containing sensitive data occurs in the middle of the day? That’s because it’s easier to steal data when staff is too busy to notice someone walking out of the office with a phone, laptop, or even a server.
PCI DSS Requirement 9 covers all aspects of physical security. Here are a few tips to make sure your physical security is PCI compliant.
See also: 5 Tips to Boost Your Business’s Physical Security
You can’t protect cardholder data if you don’t know where it is. Start by creating an inventory of all systems that store, process, transmit or can affect the security of cardholder data. List applications running on these systems, including version number, so you can stay on top of known vulnerabilities. Identify the physical locations of these systems and who should have access to them.
Servers, firewalls, workstations and laptops are easy to remember, but keep in mind other items that need to be physically protected, such as:
Remember that an inventory is just a snapshot in time. Put in place a method to update the inventory as things change, and track movement of equipment and removable media (such as backups) in and out of your environment.
See also: SecurityMetrics PCI Guide
Once you know what systems you need to protect, put controls for PCI DSS Requirement 9 in place that restrict access to them, like badge readers and keyed locks. Remember that employee access must be authorized and required for the employee’s job function. When visitors need to enter sensitive areas, make sure they are authorized and always escorted by an employee.
See also: Keep Employees on a Need-to-Know Basis: A Look at PCI Requirement 7
It’s important to have a way to identify employees and visitors and tell them apart, such as badges. You also need a way to monitor and log anyone who accesses a sensitive area, such as video cameras and access logs.
Make sure you have a way to remove access when a visitor’s stay ends or an employee is terminated. Ensure that all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Don’t store sensitive information (like payment card data) out in the open. For example, event-planning companies and caterers might use paper forms that contain customers’ credit card information. In these types of businesses, the card is typically charged and the paper order form is destroyed once the event is over.
If your organization collects credit card info in a similar manner, any paper forms should be designed to keep sensitive information separate from the rest of the order info.
If your organization has card-reading POS devices used in card-present transactions (e.g. swipe or dip), the PCI DSS includes specific requirements for protecting them:
See also: This video to better understand PCI Requirement 9 and physical data security.
The best way to keep cardholder data secure is not to retain it any longer than is strictly necessary. Create a schedule to review when it’s necessary to securely destroy media containing cardholder data when it is no longer needed.
See also: How to Permanently Delete Files with Sensitive Data
.svg)
