-
This requirement stipulates that organizations must restrict physical access to all systems within the PCI DSS scope and all hard copies of CHD.
Requirement 9: Restrict physical access to cardholder data
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 22. Global state of PCI DSS compliance: Requirement 9
-
Full compliance: Requirement 9 improved modestly from 81.2% to 85.0%, and reached the highest performance of this control in more than five years in terms of full compliance.
Control gap: The control gap narrowed substantially from 8.1% to a low 2.9% of controls that are found not in place during interim compliance validation.
Compensating controls: 1.7% of organizations applied one or more compensating controls. While the use of compensating controls under Requirement 9 remains very low, it increased to the highest level in more than five years.
-
Figure 23. Requirement 9 control performance
-
The overall sustainability of controls under Requirement 9 remains good. Control 9.4 (Procedures to identify and authorize visitors), and Control 9.10 (Documented policy restricting physical access to CHD), rank the lowest in performance. Control 9.4 also has the highest control gap across all controls under this requirement.
-
-
A tip on sustainable control effectiveness
Organizations that experience issues with establishing point of interaction (POI) device tamper-check procedures and the provisioning of adequate personnel training should use the PCI SSC Skimming Prevention guidance document to support the development of effective training and make tamper-checking part of existing start- or end-of-day processes.
-
Requirement 9: Restrict physical access to cardholder data
The goal
The goal of PCI DSS Key Requirement 9 is to protect payment card account data by maintaining a sustainable capability for the effective and reliable restriction of physical access to sensitive facilities, systems and any component (such as hard copies) that contain CHD across the CDE to authorized individuals only, and the capability to prevent, detect and respond to access attempts by any unauthorized individuals.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- Scope—CHD components: All IT components, desktop and mobile computers, storage devices (external hard drives, backups, etc.), paper records, POS devices, and electronic audio recordings that contain payment card account data, as well as components that can access such systems and the facilities in which they reside
- Scope—security components: Network security components (routers, firewalls, logging and monitoring, access control, and authentication systems), wireless access points, network jacks, telecommunication lines, badge readers, key entry locks, CCTV cameras and recording systems
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Capability—inventory management: Create and actively maintain a complete and accurate inventory of all systems that store, process and transmit account data or can affect the security of account data. Identify the physical locations of these systems and all individuals authorized to access them, and also list applications running on these systems, including version number, to stay on top of known vulnerabilities
- Capability—automate: Implement an application to support and automate the maintenance of an up-to-date list of all devices—including physical location, serial numbers and make/model—and integrate HR and IT processes to remain synchronized with staff, network and system component changes. This includes the classification, logging and management of all CHD-related media in accordance with the sensitivity of the data
- Competence—procedures: The ability of all relevant frontline staff to detect suspicious activity around payment devices; verification procedures for any third parties requesting physical access to any CHD component, such as POS devices, servers or wireless devices. The capability to effectively and consistently inspect POS devices to ensure that they haven’t been tampered with, with sufficient training for staff to be proficient at POS device inspections, effectively verifying serial number matches and detecting security seal compromises
- Documentation and processes: Maintain standard operating procedures with clearly articulated standards. Regularly train and educate staff on how to follow the documented procedures. Maintain strict, consistent enforcement of the effective identification, authorization and escorting of visitors to sensitive areas
Strong dependencies and integration with other key requirements
- Requirement 8: Integration with authorization requirements for effective physical access control
- Requirement 7: Integration with access control requirements for effective physical access control
- Requirement 10: Integration with logging and monitoring requirements of physical security components
- Requirement 12: Integration with risk assessment, governance, training and awareness requirements
Short-term objectives
- Scope—inventory: Maintain an up-to-date inventory, including a complete description of all relevant in-scope physical system components across the CDE
- Capability: Implement and maintain an effective process where all media with CHD (electronic and hard copy) is destroyed when no longer needed for business or legal reasons, across the CDE
Long-term objectives
- Improve: Improve the capability to collect, review and correlate all physical access control records and monitoring logs to enhance the effectiveness of physical access controls to all sensitive areas across the CDE
- Maturity: Improve and refine configurations and support processes, documentation and training to achieve and maintain high-capability maturity on physical access security control processes and capabilities
Common constraints
- Commitment: Insufficient ongoing assurance from management that employees are required to consistently adhere to security and compliance requirements, and investment in resources (automation tools, ongoing training and awareness) to enable staff to be proficient at fulfilling the scope of tasks under Requirement 9