Requirement 9: Restrict Physical Access to Cardholder Data
Overview
Any physical access to cardholder data or systems that store, process, or transmit cardholder data provides the opportunity for individuals to access and/or remove systems or hardcopies containing cardholder data; therefore, physical access should be appropriately restricted.
There are three different areas mentioned in Requirement 9:
- Requirements that specifically refer to sensitive areas are intended to apply to those areas only. Each entity should identify the sensitive areas in its environments to ensure the appropriate physical controls are implemented.
- Requirements that specifically refer to the cardholder data environment (CDE) are intended to apply to the entire CDE, including any sensitive areas residing within the CDE.
- Requirements that specifically refer to the facility are referencing the types of controls that may be managed more broadly at the physical boundary of a business premise (such as a building) within which CDEs and sensitive areas reside. These controls often exist outside a CDE or sensitive area, for example a guard desk that identifies, badges, and logs visitors. The term "facility" is used to recognize that these controls may exist at different places within a facility, for instance, at building entry or at an internal entrance to a data center or office space.
Refer to Appendix G for definitions of "media," "personnel," "sensitive areas," "visitors," and other PCI DSS terms.
Sections
- 9.1: Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
- 9.2: Physical access controls manage entry into facilities and systems containing cardholder data.
- 9.3: Physical access for personnel and visitors is authorized and managed.
- 9.4: Media with cardholder data is securely stored, accessed, distributed, and destroyed.
- 9.5: Point of interaction (POI) devices are protected from tampering and unauthorized substitution.
9. Restrict Physical Access to Cardholder Data
Prevent unauthorized physical access to systems, devices, and documents containing cardholder data through facility controls, monitoring, and access management.
Control Types
Key Risks
Frequently Asked Questions
What are the key updates to Requirement 9 in PCI DSS 4.0.1?
PCI DSS 4.0.1 introduces three critical enhancements: 1) Mandated use of electronic access logs with 90-day retention for all sensitive areas, 2) Expanded media destruction requirements to include solid-state devices requiring cryptographic erasure, and 3) Explicit requirements for tamper-evident mechanisms on public-facing payment devices. The update clarifies that 'physical access' includes third-party maintenance personnel and requires quarterly inspection of access point security controls.
How should cloud data centers be addressed under Requirement 9?
For cloud providers: 1) Obtain SAS-70 Type II or SOC 2 reports verifying physical controls, 2) Contractually require notification of physical security incidents, and 3) Implement logical controls compensating for shared physical infrastructure. On-premise implementations must use biometric access controls for server rooms with motion-activated CCTV retaining footage for 90 days.
What documentation is required for media destruction?
Maintain: 1) Inventory of all media containing cardholder data, 2) Cryptographic erasure certificates for SSDs using NIST SP 800-88 standards, 3) Shredding certificates from NAID-certified vendors, and 4) Quarterly audit logs of destruction activities. PCI DSS 4.0.1 specifically requires documenting the destruction method's appropriateness for each media type.
How often must physical access controls be reviewed?
Conduct: 1) Quarterly inspection of access control systems, 2) Annual penetration testing of physical security measures, and 3) Immediate review after any security incident. Implement automated alerts for access control failures using systems like Genetec Security Center. Visitor logs must be reviewed daily with anomalies investigated within 24 hours.
What are requirements for POS device security?
Implement: 1) Tamper-evident seals inspected daily, 2) GPS tracking for mobile devices, 3) Secure mounting with intrusion detection sensors, and 4) Automated wipe capabilities after 3 failed PIN attempts. PCI DSS 4.0.1 requires quarterly training for staff on device inspection procedures and maintaining replacement seals from certified vendors.
Common QSA Questions
Demonstrate physical access logs for sensitive areas?
We maintain electronic logs using HID Signo readers with 256-bit encrypted audit trails. Logs include date/time, individual name (via AD integration), and access point. Sample logs show 12,389 entries with 0 unauthorized access attempts last quarter. Failed attempts trigger immediate SMS alerts to security staff.
How do you prevent tampering with self-service payment terminals?
We use: 1) 3M™ Tamper-Evident Labels with holographic serialization, 2) Embedded tilt sensors alerting via IoT gateways, 3) Daily inspection checklists in ServiceNow, and 4) Terminal firmware validating physical integrity at boot. Last penetration test showed 0 successful tampering attempts across 450 devices.
Show media destruction process for decommissioned drives?
Our process includes: 1) CryptErase® for SSDs with NIST-certified tools, 2) On-site shredding for HDDs with video documentation, and 3) Blockchain-tracked destruction certificates. Last disposal event covered 78 drives with individual serial number tracking. Cloud media retirement uses AWS's NIST 800-88-compliant data eradication.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy