9.2 Physical access controls manage entry into facilities and systems containing cardholder data.

This requirement focuses on implementing appropriate physical security controls to restrict access to systems in the cardholder data environment (CDE), preventing unauthorized persons from gaining access to sensitive information or systems.

Sub-requirements:

9.2.1.1 Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both) as follows:
9.2.1 Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.
9.2.2 Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.
9.2.3 Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.
9.2.4 Access to consoles in sensitive areas is restricted via locking when not in use.

9.2. Physical access to sensitive areas is appropriately restricted and monitored.

Ensure that access to sensitive areas is controlled, monitored, and logged to prevent unauthorized entry.

https://WithPCI.com

Sub-requirements

Test Points

Low-Moderate (1.8)

Implementation Difficulty

Control Types

Technical

Physical

Process

Documentation

Technical: 1

Physical: 2

Process: 3

Documentation: 1

Key Risks

Unauthorized physical access

Unlogged or unmonitored entry

Delayed revocation of access

Frequently Asked Questions

What are sensitive areas?

Any area where cardholder data or systems storing cardholder data are located.

How should physical access be controlled?

Through badge readers, biometric controls, visitor logs, and escort requirements.

How is physical access monitored?

By using surveillance cameras, access logs, and regular audits.

How quickly should access be revoked for terminated personnel?

Immediately upon termination or change of role.

How long should visitor logs be retained?

At least three months, or longer if required by law or policy.

Common QSA Questions

Can you show evidence of physical access controls and monitoring?

Yes, we maintain access logs, surveillance footage, and visitor records.

How is access revoked for terminated or transferred personnel?

Access is removed immediately via automated or manual processes linked to HR notifications.

How are visitor identities verified and tracked?

Visitors are required to present identification, are logged, and must wear distinctive badges.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.