| ๐ผ 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. | 3 | | | |
| ย ย ย ย ๐ผ 9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. | | | | |
| ย ย ย ย ๐ผ 9.1.2 Implement physical and/or logical controls to restrict access to publicly accessible network jacks. | | | | |
| ย ย ย ย ๐ผ 9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. | | | | |
| ๐ผ 9.2 Develop procedures to easily distinguish between onsite personnel and visitors. | | | | |
| ๐ผ 9.3 Control physical access for onsite personnel to sensitive areas. | | | | |
| ๐ผ 9.4 Implement procedures to identify and authorize visitors. | 4 | | | |
| ย ย ย ย ๐ผ 9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. | | | | |
| ย ย ย ย ๐ผ 9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. | | | | |
| ย ย ย ย ๐ผ 9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. | | | | |
| ย ย ย ย ๐ผ 9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted. | | | | |
| ๐ผ 9.5 Physically secure all media. | 1 | | | |
| ย ย ย ย ๐ผ 9.5.1 Store media backups in a secure location, preferably an off-site facility. | | | | |
| ๐ผ 9.6 Maintain strict control over the internal or external distribution of any kind of media. | 3 | | | |
| ย ย ย ย ๐ผ 9.6.1 Classify media so the sensitivity of the data can be determined. | | | | |
| ย ย ย ย ๐ผ 9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked. | | | | |
| ย ย ย ย ๐ผ 9.6.3 Ensure management approves any and all media that is moved from a secured area. | | | | |
| ๐ผ 9.7 Maintain strict control over the storage and accessibility of media. | 1 | | | |
| ย ย ย ย ๐ผ 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually | | | | |
| ๐ผ 9.8 Destroy media when it is no longer needed for business or legal reasons. | 2 | | | |
| ย ย ย ย ๐ผ 9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. | | | | |
| ย ย ย ย ๐ผ 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. | | | | |
| ๐ผ 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. | 3 | | | |
| ย ย ย ย ๐ผ 9.9.1 Maintain an up-to-date list of devices. | | | | |
| ย ย ย ย ๐ผ 9.9.2 Periodically inspect device surfaces to detect tampering, or substitution. | | | | |
| ย ย ย ย ๐ผ 9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. | | | | |
| ๐ผ 9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. | | | | |