Skip to main content

💼 9 Restrict Physical Access to Cardholder Data

Contextual name: 💼 9 Restrict Physical Access to Cardholder Data
ID: /frameworks/pci-dss-v4.0/09
Located in: 💼 PCI DSS v4.0

Description

Empty...

Similar

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.	2
💼 9.1.1 All security policies and operational procedures identified in Requirement 9 are documented, kept up to date, in use, and known to all affected parties.
💼 9.1.2 Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.
💼 9.2 Physical access controls manage entry into facilities and systems containing cardholder data.	4
💼 9.2.1 Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.	1
💼 9.2.1.1 Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms.
💼 9.2.2 Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.
💼 9.2.3 Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.
💼 9.2.4 Access to consoles in sensitive areas is restricted via locking when not in use.
💼 9.3 Physical access for personnel and visitors is authorized and managed.	4
💼 9.3.1 Procedures are implemented for authorizing and managing physical access of personnel to the CDE.	1
💼 9.3.1.1 Physical access to sensitive areas within the CDE for personnel is controlled.
💼 9.3.2 Procedures are implemented for authorizing and managing visitor access to the CDE.
💼 9.3.3 Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.
💼 9.3.4 A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas.
💼 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.	7
💼 9.4.1 All media with cardholder data is physically secured.	2
💼 9.4.1.1 Offline media backups with cardholder data are stored in a secure location.
💼 9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
💼 9.4.2 All media with cardholder data is classified in accordance with the sensitivity of the data.
💼 9.4.3 Media with cardholder data sent outside the facility is secured.
💼 9.4.4 Management approves all media with cardholder data that is moved outside the facility.
💼 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.	1
💼 9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.
💼 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons.
💼 9.4.7 Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons.
💼 9.5 Point of interaction (POI) devices are protected from tampering and unauthorized substitution.	1
💼 9.5.1 POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution.	3
💼 9.5.1.1 An up-to-date list of POI devices is maintained.
💼 9.5.1.2 POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.	1
💼 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis.
💼 9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.

Description
Similar
Sub Sections