PCI DSS Requirement 9
The Payment Card Industry (PCI) has a set of technical and operational requirements to protect cardholder data. These requirements apply to all entities (such as businesses and tech companies) that store, process or transmit cardholder data.
There are 12 requirements in total, and in this article we'll take a look at PCI DSS Requirement 9 and discuss how to maintain compliance with these regulations.
What is PCI DSS Requirement 9?
PCI DSS Requirement 9 requires that entities restrict physical access to cardholder data. It states, "Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted."
PCI DSS requirement 9 has ten sections you must follow in order to maintain PCI DSS compliance.
In these 10 sections, "onsite personnel" means full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. "Visitors" means vendors and guests that enter the facility for a short amount of time. "Media" means all paper and electronic media containing cardholder data.
- 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
- 9.2 Develop procedures to easily distinguish between onsite personnel and visitors, especially in areas where cardholder data is accessible. GIVE EVERY USER A UNIQUE ID. Every user with access to the Cardholder Data Environment must have a unique ID. This allows a business to trace every action to a specific individual.
- 9.3 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration.
- 9.4 Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, their company and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
- 9.5 Store media back-ups in a secure location, preferably off site.
- 9.6 Physically secure all media.
- 9.7 Maintain strict control over the internal or external distribution of any kind of media. Classify media so the sensitivity of the data can be determined.
- 9.8 Ensure that management approves any and all media moved from a secured area, especially when media is distributed to individuals.
- 9.9 Maintain strict control over the storage and accessibility of media.
- 9.10 Destroy media when it is no longer needed for business or legal reasons.
Ensure PCI DSS Requirement 9 Compliance
In an article by TechTarget, security management expert Mike Rothman discusses the best way to comply with PCI DSS Requirement 9. Of the use of a camera system to help with monitoring, he says that "having a camera outside of the server room, which records with an unalterable time stamp who enters and exits the room, and then having sufficiently detailed log records pertaining to changes made on the servers and cardholder data access is enough."
You can also learn more by viewing this TechTarget video, which discusses common questions about PCI DSS 9.
MSPs and IT professionals need remote management solutions that go beyond just the basic PCI DSS Requirement 9 standards. SolarWinds MSP (formerly LOGICnow) offers remote management software that can help you keep your clients' cardholder data safe by giving you control over all aspects of network security. Our software includes features like encrypted data transfers, detailed application activity logs and advanced monitoring agents.
PCI Security Standards: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
PCI Security Standards: https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf