The goal
|
The goal of PCI DSS Key Requirement 9 is to protect payment card account data by maintaining a sustainable capability for the effective and reliable restriction of physical access to sensitive facilities, systems and any component (such as hard copies) that contain CHD across the CDE to authorized individuals only, and the capability to prevent, detect and respond to access attempts by any unauthorized individuals.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
- Scope—CHD components: All IT components, desktop and mobile computers, storage devices (external hard drives, backups, etc.), paper records, POS devices, and electronic audio recordings that contain payment card account data, as well as components that can access such systems and the facilities in which they reside
- Scope—security components: Network security components (routers, firewalls, logging and monitoring, access control, and authentication systems), wireless access points, network jacks, telecommunication lines, badge readers, key entry locks, CCTV cameras and recording systems
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Capability—inventory management: Create and actively maintain a complete and accurate inventory of all systems that store, process and transmit account data or can affect the security of account data. Identify the physical locations of these systems and all individuals authorized to access them, and also list applications running on these systems, including version number, to stay on top of known vulnerabilities
- Capability—automate: Implement an application to support and automate the maintenance of an up-to-date list of all devices—including physical location, serial numbers and make/model—and integrate HR and IT processes to remain synchronized with staff, network and system component changes. This includes the classification, logging and management of all CHD-related media in accordance with the sensitivity of the data
- Competence—procedures: The ability of all relevant frontline staff to detect suspicious activity around payment devices; verification procedures for any third parties requesting physical access to any CHD component, such as POS devices, servers or wireless devices. The capability to effectively and consistently inspect POS devices to ensure that they haven’t been tampered with, with sufficient training for staff to be proficient at POS device inspections, effectively verifying serial number matches and detecting security seal compromises
- Documentation and processes: Maintain standard operating procedures with clearly articulated standards. Regularly train and educate staff on how to follow the documented procedures. Maintain strict, consistent enforcement of the effective identification, authorization and escorting of visitors to sensitive areas
|
Strong dependencies and integration with other key requirements
|
- Requirement 8: Integration with authorization requirements for effective physical access control
- Requirement 7: Integration with access control requirements for effective physical access control
- Requirement 10: Integration with logging and monitoring requirements of physical security components
- Requirement 12: Integration with risk assessment, governance, training and awareness requirements
|
Short-term objectives
|
- Scope—inventory: Maintain an up-to-date inventory, including a complete description of all relevant in-scope physical system components across the CDE
- Capability: Implement and maintain an effective process where all media with CHD (electronic and hard copy) is destroyed when no longer needed for business or legal reasons, across the CDE
|
Long-term objectives
|
- Improve: Improve the capability to collect, review and correlate all physical access control records and monitoring logs to enhance the effectiveness of physical access controls to all sensitive areas across the CDE
- Maturity: Improve and refine configurations and support processes, documentation and training to achieve and maintain high-capability maturity on physical access security control processes and capabilities
|
Common constraints
|
- Commitment: Insufficient ongoing assurance from management that employees are required to consistently adhere to security and compliance requirements, and investment in resources (automation tools, ongoing training and awareness) to enable staff to be proficient at fulfilling the scope of tasks under Requirement 9
|