PCI-DSS and the need for Physical Access Controls
The Payment Card Industry Data Security Standard (PCI DSS) sets forth requirements to help organizations in the payment card industry develop and maintain secure systems.
It ensures that ALL entities involved in processing, storing, or transmitting cardholder data adhere to consistent information security practices. Compliance with PCI DSS is critical for protecting sensitive data and mitigating risks in systems and applications that handle payment card information.
PCI DSS provides a baseline of technical and operational requirements designed to protect account data and applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers. It also governs any systems in the payment card industry that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).
There are 12 PCI DSS data center requirements that must be met for compliance and Requirement 9 specifically addresses physical access restrictions to card holder data.
Digitus and PCI-DSS Requirement 9 – Restrict physical access to cardholder data
The Digitus Access Solution helps to ensure that any and all access is appropriately controlled and monitored. It is critical to understand that physical access to a data center or cardholder data systems can allow someone unauthorized access or the ability to remove devices, data, or printed copies.
For the purposes of Requirement 9, the following definitions are important:
- On-site personnel: Employees, contractors, temporary staff, or consultants physically present at the facility.
- Visitors: Vendors, guests of onsite personnel, or service personnel who require short-term access, typically less than one day.
- Media: Any paper or electronic media containing cardholder data.
PCI-DSS Requirements
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
Testing Procedures
9.1 Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.
Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.
Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder data environment and verify that they are “locked” to prevent unauthorized use.
Guidance
Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data.
Locking console login screens prevents unauthorized persons from gaining access to sensitive information, altering system configurations, introducing vulnerabilities into the network, or destroying record.
PCI-DSS Requirements
9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
Note: “Sensitive areas” refer to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of sale terminals are present, such as the cashier areas in a retail store.
Testing Procedures
9.1.1.a Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas.
9.1.1.b Verify that either video cameras or access control mechanisms (or both) are protected from tampering or disabling
Guidance
When investigating physical breaches these controls can help identify the individuals that physically accessed the sensitive areas, as well as when they entered and exited. Criminals attempting to gain physical access to sensitive areas will often attempt to disable or bypass the monitoring controls.
To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be monitored to detect tampering. Similarly, access control mechanisms could be monitored or have physical protections installed to prevent them being damaged or disabled by malicious individuals.
Ensuring security measures extend to wireless access points helps mitigate risks associated with data breaches. Implementing PCI compliant controls throughout the environment strengthens the system and ensures you are protecting cardholder data.
Frequently Asked Questions
The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security requirements designed to protect cardholder data and reduce fraud in any organization that handles payment cards.
Any business that processes, stores, or transmits credit card information must comply — this includes merchants, service providers, and payment processors.
PCI DSS standards define 12 essential requirements grouped into six main control areas that focus on securing systems and applications:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Depending on transaction levels, compliance is validated through self‑assessment questionnaires, external audits by a Qualified Security Assessor (QSA), and quarterly scans by an Approved Scanning Vendor (ASV).
Failing to meet PCI DSS standards can result in financial penalties, increased transaction costs, suspension of the ability to process card payments, and a significantly higher risk of data breaches and compromised information security.