Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

What is PCI-DSS Requirement 9?

PCI-DSS Requirement 9 requests that businesses restrict physical access to cardholder data. This step is essential as it will prevent unauthorised parties (or ‘visitors’) from accessing or interfering with sensitive card information.

These unauthorised visitors could include resellers, service workers, or anyone who may enter the relevant facility, and the physical copies of the data could take the form of either paper or electronic media storage.

Controlling physical access as well as remote system access allows your company to safeguard the physical environments where the cardholder data is stored, processed, or transmitted.

PCI-DSS Requirement 9.1: Processes and procedures for restricting physical access to cardholder data must be created and maintained.

The first sub-requirement of PCI-DSS Requirement 9 requires businesses to develop policies and practices to protect physical copies of cardholder data. These policies will need to be consistently monitored and updated where necessary, and all relevant personnel must have full visibility and understanding of their responsibilities

The sub-sub-requirements are as follows:

  • PCI-DSS 9.1.1 - All security policies and operational methods relevant to PCI-DSS Requirement 9 must be documented, up to date, regularly maintained, and known to all relevant personnel.
  • PCI-DSS 9.1.2 - All roles and responsibilities for fulfilling work duties must be assigned to the relevant parties, documented, and understood.

PCI-DSS Requirement 9.2: Develop physical access procedures to manage access into systems containing cardholder data.

It’s essential to implement physical access controls as they reduce the risk of unauthorised parties accessing the CDE to either interfere with the system and introduce vulnerabilities, steal or even destroy the equipment.

PCI-DSS Requirement 9.2 specifically suggests that physical access should be restricted through mechanisms including badge readers or a lock and key. Details of parties who enter and exit facilities containing sensitive data should be maintained, as well as the specific times these were accessed.

Sub-sub-requirements of this section include:

  • PCI-DSS 9.2.1: Ensure that appropriate entry controls are in place at the facility to restrict physical access to systems holding sensitive data.
  • PCI-DSS Individual physical access to the facilities must be monitored with either video cameras, physical access control mechanisms, or both.
  • PCI-DSS 9.2.2: Physical and/or logical controls must be implemented to restrict use of publicly accessible network jacks.
  • PCI-DSS 9.2.3: Physical access to wireless access points, gateways, networking hardware, and telecommunication lines must be restricted.
  • PCI-DSS 9.2.4: Access to consoles in sensitive facilities is locked when not used.

PCI-DSS Requirement 9.3: Physical access for personnel and visitors needs to be authorised and actively managed.

Each employee’s access to sensitive cardholder data needs to be limited, reviewed regularly, and updated when needed – such as when an employee is terminated from the business.

The devices used to authenticate physical access will need to easily identify and distinguish the person seeking entry, and this access needs to be surrendered and deactivated if the employee were to leave the business.

PCI-DSS Requirement 9.4: Systems with cardholder data must be securely stored, accessed, distributed, and destroyed if necessary.

It's essential to use visitor controls to reduce the risk of either unauthorised or malicious individuals accessing facilities holding sensitive cardholder data. Visitor controls allow visitors to be identified as such, allowing relevant staff to monitor their activities and ensure all visits are legitimate.

Your business should ensure any visitors’ badges are returned after the visit is complete, in order to prevent malicious personnel from using tools they’ve previously accessed to gain physical entry to the building afterwards.

It’s also important to keep a visitor log that documents minimum, but essential, information about the user. This documentation will help determine physical access to facilities containing cardholder data.

PCI-DSS Requirement 9.5: Point of interaction (POI) devices must be protected from tampering and unauthorised replacement.

Your business must ensure that external devices are regularly monitored and inspected to detect tampering as soon as it occurs, minimising the impact if the occasion were to arise. This is crucial if a device has been accessed by an external party for maintenance for repair as it is at much higher risk of compromise.

The sub-sub-sections of this requirement include:

  • PCI-DSS Requirement 9.5.1: POI devices that capture payment card data physically via a payment card form factor are protected from tampering and unauthorised changes.
  • PCI-DSS Requirement A list of POI devices is regularly updated and maintained, including the make, model, and serial number of the device.
  • PCI-DSS Requirement The surface of each POI device must be inspected on occasion to detect tampering and unauthorised replacement.
  • PCI-DSS Requirement The regularity and intensity of POI device inspections should be defined in the business’ risk analysis.
  • PCI-DSS Requirement Staff must be thoroughly trained to spot any attempted tampering or replacement of POI devices.

PCI-DSS Requirement 9.6: Businesses must retain strict control over the internal or external distribution of any media.

Audit procedures put in place by the business will help protect cardholder data in devices that are distributed to internal or external users. These policies will reduce the risk of lost or stolen data that may be used for fraudulent purposes.

  • PCI-DSS Requirement 9.6.1: Classify media based on the sensitivity of the data.
  • PCI-DSS Requirement 9.6.2: Send media by secure delivery methods that can be tracked easily (i.e. a courier).
  • PCI-DSS Requirement 9.6.3: Ensure management approves all media that must be sent away.

PCI-DSS Requirement 9.7: Ensure strict controls over media storage and accessibility.

A media inventory and storage control must be maintained to ensure that any stolen or missing media can be noticed immediately and resolved. If an inventory is not kept, any lost or stolen media may not be noticed for a long time or even at all.

These media inventory logs should be regularly maintained and reviewed at least once a year.

PCI-DSS Requirement 9.8: Media no longer needed for business reasons must be safely disposed of.

Malicious parties can receive information from destroyed media if your business has not destroyed the information ON the devices first. It's important to ensure that cardholder data is rendered non-recoverable so it cannot be reproduced.

Your business must establish a media destruction policy that covers all areas of physical media. This requirement suggests the following procedures:

  • Printed media must be cut to pieces, burned or pulped so that they cannot be realigned.
  • Storage containers used to hold materials that will be destroyed need to be securely protected.
  • Cardholder data on electronic devices must be rendered unrecoverable.
  • You must use a secure erase program that complies with industry-accepted standards, or the media must be physically destroyed.

PCI DSS Requirement 9.9: Protect devices receiving payment card data from physical tampering or replacement.

PCI-DSS Requirement 9.9 applies to card-reading devices used in transactions at the point of sale. Criminals may try to steal cardholder data by stealing or manipulating these card reader devices or terminals. They may also add components outside of the device to capture cardholder data before entering the device, allowing the criminal to steal data undetected.

The recommended procedures include:

  • Keeping an inventory list of devices.
  • Period checks of devices to detect tampering or replacement.
  • Staff training to recognise and report tampering or replacement of devices.

PCI-DSS Requirement 9.10: Document and distribute all policies.

Staff must know and follow all security policies and operational procedures laid out in PCI-DSS Requirement 9 to ensure thorough restriction of any physical access to cardholder data.

Compliance as you work with Hicomply

If you’re looking to meet all the PCI-DSS requirements, including PCI-DSS Requirement 9, we can help. At Hicomply, we know that the process can be extremely time-consuming and intimidating. This is why we offer a full ISMS solution with a dashboard that allows you to keep everything you need to achieve compliance in one place. Contact us today for a demo.