9.2.1 Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.

Defined Approach Requirements

9.2.1 Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.

Defined Approach Testing Procedures

9.2.1 Observe entry controls and interview responsible personnel to verify that physical security controls are in place to restrict access to systems in the CDE.

Purpose

Without physical access controls, unauthorized persons could potentially gain access to the CDE and sensitive information, or could alter system configurations, introduce vulnerabilities into the network, or destroy or steal equipment. Therefore, the purpose of this requirement is that physical access to the CDE is controlled via physical security controls such as badge readers or other mechanisms such as lock and key.

Customized Approach Objective

System components in the CDE cannot be physically accessed by unauthorized personnel.

Applicability Notes

This requirement does not apply to locations that are publicly accessible by consumers (cardholders).

Good Practice

Whichever mechanism meets this requirement, it must be sufficient for the organization to verify that only authorized personnel are granted access.

Examples

Facility entry controls include physical security controls at each computer room, data center, and other physical areas with systems in the CDE. It can also include badge readers or other devices that manage physical access controls, such as lock and key with a current list of all individuals holding the keys.

Sub-Requirements

• 9.2.1.1 Individual physical access to sensitive areas within the CDE is monitored