PCI Requirement 9 – Lock the Doors and Don’t Forget the Windows Too!

This is the ninth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To view the previous posts in this series, click on the appropriate links below:  

PCI Requirement 1 - Defending the Wall

PCI Requirement 2 - Change Your Defaults!

PCI Requirement 3 - Don't Store Cardholder Data!

PCI Requirement 4 - Hide in Plain Sight!

PCI Requirement 5 - Update and Scan

PCI Requirement 6 - Patches and Scanning and Coding, Oh My!!

PCI Requirement 7 - Thou Shall Not Pass!

PCI Requirement 8 - Identify, Authenticate, and Authorize

PCI Requirement 9 - Restrict Physical Access to Cardholder Data

Requirement 9 continues to build on the access control portion of your PCI program. This time the requirement covers the physical security portion. This requirement, humbly speaking, is becoming less and less of a hassle for company’s as they take their IT strategy and push for cloud services such as AWS, Azure, etc. The build-out of a co-location can help meet this requirement as the physical controls at a data center will most likely be much more robust than an office or in-house server closet.

Requirement 9 highlights some areas that tend to be overlooked in smaller businesses such as visitor logs and visitor badges. You must ensure that visitors to your facility, especially if they are going into the CDE area, have badges clearly identifying them and escort that person. No matter how much you trust or even know the person, do not leave them unattended in your CDE area.

Companies that require PCI Compliance face some familiar challenges within requirement 9:

1. Investing in the Proper Physical Controls Protecting the Physical CDE - This can be very costly if you must renovate or update a rented part of an office to house the technology.
2. Video Cameras and the Storage of Video Recordings for 90 Days - As cameras become more common this will be less of a cost to the business. There are numerous types of camera systems on the market lately to meet this need.
3. Store Media Backups in Secure, Preferably Offsite Area - Again, another cost to the business for storage but there are ways like fireproof cabinets in different locations or offices that can meet this need. DON’T FORGET TO ENCRYPT…. if the media leaves your hands or office ensure the data is encrypted!!

Compass is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.

These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!