9.2.3 Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.
Defined Approach Requirements
9.2.3 Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.
Customized Approach Objective
Physical networking equipment cannot be accessed by unauthorized personnel.
Defined Approach Testing Procedures
9.2.3 Interview responsible personnel and observe locations of hardware and lines to verify that physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.
Purpose
Without appropriate physical security over access to wireless components and devices, and computer networking and telecommunications equipment and lines, malicious users could gain access to the entity's network resources. Additionally, they could connect their own devices to the network to gain unauthorized access to the CDE or systems connected to the CDE.
Additionally, securing networking and communications hardware prevents malicious users from intercepting network traffic or physically connecting their own devices to wired network resources.
purpose
Retain visitor logs for at least three months unless otherwise restricted by law.
compliance strategies
- Automated visitor log retention
- Periodic log review
typical policies
- Visitor Log Retention Policy
common pitfalls
- Logs not retained
- Manual logs lost
type
Documentation/Process Control
difficulty
Low
key risks
- Lack of audit trail for incidents
recommendations
- Automate log retention with digital systems
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy