Take the lead in data protection best practices with our unified SIEM solution!
Disclaimer: This guide has been created with reference to official documents on the PCI DSS published by relevant government authorities. It is intended to provide a clear and comprehensive explanation of PCI DSS Requirement 9. The contents are for informational purposes only and should not be considered as legal advice. Organizations should consult with a qualified PCI DSS consultant to ensure compliance.
Requirement 9: Restrict physical access to cardholder data
This PCI DSS requirement is further divided into requirement 9.1, 9.2, 9.3, 9.4 and 9.5. Let's explore these in detail.
PCI DSS requirement 9.1: Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
This PCI DSS requirement is further divided into 9.1.1 and 9.1.2. Let's explore these in detail.
PCI DSS requirement 9.1.1: Documented and up-to-date security policies and procedures
This requirement focuses on the effective management of security policies and operational procedures related to protecting cardholder data within the Cardholder Data Environment (CDE). It mandates that all policies and procedures defined in Requirement 9 (covering physical and logical access control) are:
- Documented: Clearly documented and readily available to all relevant personnel.
- Up-to-date: Regularly reviewed and updated to reflect changes in technologies, processes, or business needs.
- In Use: Actively implemented and followed by personnel within the organization.
- Communicated: Effectively communicated and understood by all affected parties.
- Security Policies: High-level statements outlining the organization's security objectives and overall approach to data protection.
- Operational Procedures: Detailed instructions describing how to perform specific activities related to security controls, ensuring consistent implementation.
Business implication
- Reduced Risk of Non-Compliance: Ensuring documented, up-to-date, and implemented security policies and procedures significantly reduces the risk of non-compliance with PCI DSS requirements. Clear communication of these policies empowers personnel to make informed security decisions and minimizes the chance of unintentional policy violations.
Best practices to meet this requirement
- Policy and Procedure Development: Develop clear and concise security policies and operational procedures covering all aspects of physical and logical access control defined in Requirement 9.
- Version Control and Updates: Implement a version control system for your policies and procedures to track changes and ensure everyone is using the latest versions. Regularly review and update these documents to reflect any changes in your environment.
- Communication and Training: Effectively communicate security policies and procedures to all relevant personnel through training sessions, readily accessible documentation, or other communication channels.
- Periodic Reviews: Conduct periodic reviews of your policies and procedures to ensure they remain relevant and effective.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.1.1.a | Examine documentation for security policies and operational procedures related to Requirement 9. | The assessor will review your documented policies and procedures to verify they cover all aspects of physical and logical access control outlined in Requirement 9. |
| 9.1.1.b | Interview personnel across various departments to verify their awareness and understanding of the documented policies and procedures. | The assessor will interview relevant personnel to assess their knowledge of the security policies and procedures. This may involve asking them to explain specific controls or procedures outlined in the documents. |
| 9.1.1.c | Review communication methods used to distribute these policies and procedures. | The assessor will assess your communication methods to ensure they effectively reach all affected personnel. This may involve reviewing training materials, internal communication channels, or other methods used to disseminate the policies. |
PCI DSS Requirement 9.1.2: Defined roles and responsibilities for physical and logical access controls
This requirement ensures clear assignment and understanding of roles and responsibilities for implementing the physical and logical access controls outlined in Requirement 9. It mandates that:
- Documented Roles and Responsibilities: A clear documentation exists specifying roles and responsibilities for activities related to access control.
- Assigned Responsibilities: Specific individuals or teams are assigned ownership for carrying out these activities.
- Understanding of Roles: Personnel understand their assigned roles and responsibilities within the access control framework.
Business implication
- Enhanced Accountability and Control: Clearly defined and documented roles and responsibilities for access control activities ensure accountability and promote proper implementation of security controls. This minimizes the risk of unauthorized access to cardholder data due to confusion or lack of ownership.
Best practices to meet this requirement
- RACI Matrix: Develop a Responsibility Assignment Matrix (RACI) that outlines who is Responsible, Accountable, Consulted, and Informed (RACI) for each activity related to physical and logical access control.
- Policy and Procedure Integration: Integrate roles and responsibility information within your security policies and procedures related to access control.
- Communication and Training: Effectively communicate and train personnel on their assigned roles and responsibilities for access control. This can involve training sessions, reference materials, or incorporating role information into job descriptions.
- Acceptance Acknowledgement: Consider having personnel acknowledge their understanding and acceptance of their assigned roles and responsibilities.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.1.2.a | Examine documentation (e.g., security policies, RACI matrix) to verify documented roles and responsibilities for access control activities. | The assessor will review your documentation to ensure it clearly outlines roles and responsibilities for activities related to physical and logical access control as defined in Requirement 9. |
| 9.1.2.b | Interview personnel responsible for access control activities. | The assessor will interview relevant personnel to assess their understanding of their assigned roles and responsibilities within the access control framework. They may ask personnel to explain their specific duties and how they contribute to overall access control objectives. |
PCI DSS requirement 9.2: Physical access controls manage entry into facilities and systems containing cardholder data.
This PCI DSS requirement is further divided into 9.2.1, 9.2.2, 9.2.3, and 9.2.4. Let's explore these in detail.
PCI DSS Requirement 9.2.1: Physical entry controls for cardholder data Environment (CDE)
This requirement focuses on restricting physical access to systems within the Cardholder Data Environment (CDE). It mandates the implementation of appropriate entry controls to prevent unauthorized individuals from gaining physical access to these systems.
- Cardholder Data Environment (CDE): The portion of the network that processes, stores, or transmits cardholder data or security information.
- Physical Entry Controls: Mechanisms that limit physical access to a specific area, such as badge readers, security doors, or locked entrances.
Business implication
- Reduced Risk of Physical Security Breaches: Implementing strong physical entry controls significantly reduces the risk of unauthorized individuals gaining physical access to CDE systems. This helps protect sensitive cardholder data from theft, tampering, or unauthorized modification.
Best practices to meet this requirement
- Layered Security: Implement a layered approach to physical security. This may involve perimeter fencing, security guards, access control systems (badge readers, key cards), and video surveillance for critical areas within the CDE.
- Access Control Lists: Maintain accurate and up-to-date access control lists (ACLs) for all physical entry points within the CDE. Ensure only authorized personnel have access to these areas.
- Regular Reviews and Audits: Conduct periodic reviews and audits of your physical security controls to identify and address any weaknesses.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.2.1.a | Observe physical entry points to the CDE (e.g., server rooms, data centers). | The assessor will physically visit your facility and observe the implemented entry controls at access points to the CDE.This may involve observing badge reader systems, security doors, or other access control mechanisms. |
| 9.2.1.b | Interview personnel responsible for physical security. | The assessor will interview relevant personnel to understand the access control procedures in place and how access is granted to authorized individuals.This may involve reviewing access control lists (ACLs) and procedures for granting and revoking access. |
PCI DSS Requirement 9.2.1.1: Monitoring physical access to sensitive areas within the CDE
This requirement focuses on monitoring individual physical access to sensitive areas within the Cardholder Data Environment (CDE). It mandates the implementation of video cameras, physical access control mechanisms (or both) to monitor entry and exit points, ensuring:
- Monitoring Coverage: All entry and exit points to sensitive areas within the CDE are monitored.
- Tamper Protection: Monitoring devices (cameras or access control mechanisms) are protected from tampering or disabling attempts.
- Log Review and Correlation: Collected access data is reviewed, correlated with other access events, and analyzed for suspicious activity.
- Data Retention: Access data logs are securely stored for at least three months, unless legal requirements dictate otherwise.
- Sensitive Areas: Areas within the CDE containing critical systems or data, such as server rooms, data centers, or areas where cardholder data is processed or stored.
Business implication
- Enhanced Investigation Capabilities: Monitoring and logging physical access to sensitive areas within the CDE facilitates investigations in case of security incidents. It provides an audit trail of who accessed these areas, when they entered and exited, potentially aiding in identifying the source of a breach.
Best practices to meet this requirement
- Strategic Camera Placement: Position video cameras strategically to cover all entry and exit points of sensitive areas. Ensure good lighting and high enough resolution to capture clear images for identification purposes.
- Access Control System Integration: Consider integrating physical access control mechanisms with your security information and event management (SIEM) system for centralized log collection and analysis.
- Data Security and Retention: Implement appropriate security measures to protect access logs from unauthorized access or modification. Retain access data for at least three months to facilitate investigations as needed.
- Tamper Detection and Prevention: Securely mount video cameras and physically protect access control mechanisms to deter tampering attempts. Implement procedures to detect and respond to any attempts to disable these monitoring controls.
- Regular Log Review: Establish procedures for regular review of access logs, focusing on identifying suspicious activity or unauthorized access attempts.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.2.1.1.a | Observe entry and exit points of sensitive areas within the CDE. | The assessor will physically visit your facility and observe the implemented monitoring mechanisms at access points to sensitive areas. This may involve verifying the presence and functionality of video cameras or physical access control systems. |
| 9.2.1.1.b | Observe the physical security of video cameras and access control mechanisms. | The assessor will assess the physical security measures in place to protect the monitoring devices from tampering or disabling. This may involve checking if cameras are tamper-proof mounted and access control systems are physically protected. |
| 9.2.1.1.c | Interview personnel responsible for physical security and access control. | The assessor will interview relevant personnel to understand procedures for log review, data retention, and response to suspicious access attempts. They may also examine sample access logs to verify data retention practices |
PCI DSS Requirement 9.2.2: Restricting publicly accessible network jacks
This requirement focuses on restricting the use of publicly accessible network jacks within your facility to prevent unauthorized devices from connecting to the network. It mandates the implementation of physical and/or logical controls to achieve this, such as:
- Publicly Accessible Network Jacks: Network jacks or ports readily available in public areas or visitor spaces within your facility.
- Physical Controls: Mechanisms that physically prevent unauthorized connection to network jacks, such as disabling unused jacks, locking patch panels, or using tamper-evident security seals.
- Logical Controls: Network configuration settings that restrict unauthorized access attempts, such as port filtering or denying network access from specific locations.
Business implication
- Reduced Risk of Unauthorized Network Access: Restricting access to publicly accessible network jacks significantly reduces the risk of unauthorized devices connecting to your network and potentially gaining access to the Cardholder Data Environment (CDE) or other sensitive systems.
Best practices to meet this requirement
- Identify Public Network Jacks: Identify all network jacks located in public areas or visitor spaces within your facility.
- Implement Controls: Implement a combination of physical and/or logical controls to restrict access to these network jacks. This may involve:
- Disabling unused network jacks.
- Locking patch panels or cabinets containing network jacks.
- Implementing port filtering on network switches to restrict unauthorized access.
- Using network access control (NAC) solutions to identify and restrict unauthorized devices.
- Visitor Management: Establish procedures for managing network access for visitors. This may involve escorting visitors at all times while in areas with network jacks or providing them with temporary, secure guest Wi-Fi access.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.2.2.a | Interview personnel responsible for network security and physical security. | The assessor will interview relevant personnel to understand procedures for managing publicly accessible network jacks. This may involve discussing the implemented controls and access restriction methods. |
| 9.2.2.b | Observe locations of publicly accessible network jacks. | The assessor will physically visit your facility and observe the implemented controls on publicly accessible network jacks. This may involve verifying if unused jacks are disabled, patch panels are locked, or other physical security measures are in place. |
PCI DSS Requirement 9.2.3: Physical access to network hardware and telecommunication lines
This requirement focuses on restricting physical access to critical network hardware and telecommunication lines within your facility. It mandates the implementation of controls to prevent unauthorized individuals from tampering with or gaining access to these components, such as:
- Wireless Access Points: Devices that provide wireless network connectivity to user devices.
- Gateways: Devices that connect different networks and manage data flow between them.
- Networking/Communications Hardware: Switches, routers, firewalls, and other equipment that make up the network infrastructure.
- Telecommunication Lines: Physical cables used for voice and data communication.
Business implication
- Reduced Risk of Network Security Breaches: Restricting physical access to network hardware and telecommunication lines significantly reduces the risk of unauthorized tampering or manipulation. This helps protect the confidentiality and integrity of your network traffic and prevents potential breaches targeting the Cardholder Data Environment (CDE) or other sensitive systems.
Best practices to meet this requirement
- Identify Critical Hardware: Identify all wireless access points, gateways, networking/communications hardware, and telecommunication lines within your facility.
- Physical Security Controls: Implement physical security controls to restrict access to this equipment, such as:
- Locking equipment cabinets or server rooms.
- Using security seals on equipment doors.
- Limiting access to authorized personnel only.
- Wireless Network Security: Configure wireless access points with strong security measures, such as WPA2 encryption and complex passwords.
- Port Security: Implement port security measures on network switches to restrict unauthorized access to specific ports.
- Monitoring and Logging: Monitor network activity for suspicious access attempts or unusual traffic patterns.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.2.3.a | Interview personnel responsible for network security and physical security. | The assessor will interview relevant personnel to understand procedures for managing physical access to network hardware and telecommunication lines. This may involve discussing the implemented controls and access restriction methods. |
| 9.2.3.b | Observe locations of network hardware and telecommunication lines. | The assessor will physically visit your facility and observe the implemented controls on this equipment. This may involve verifying if equipment cabinets are locked, security seals are present, and access is restricted to authorized personnel only. |
PCI DSS requirement 9.3: Physical access for personnel and visitors is authorized and managed.
This PCI DSS requirement is further divided into 9.3.1, 9.3.2, 9.3.3 and 9.3.4. Let's explore these in detail.
PCI DSS Requirement 9.3.1: Procedures for authorizing and managing physical access to the CDE
This requirement focuses on establishing documented procedures for authorizing and managing physical access of personnel to the Cardholder Data Environment (CDE). It mandates procedures to:
- Identify Personnel: Clearly identify personnel authorized to access the CDE through badges, access cards, or other means.
- Manage Access Changes: Implement a process to manage changes in an individual's access needs within the CDE, such as granting access to new areas or revoking access when no longer required.
- Revoke Terminated Access: Ensure a process exists to revoke or terminate physical access credentials (badges, access cards) when an individual's employment or access requirements change.
- Limit Access to Identification Systems: Restrict access to the system used for issuing or managing identification credentials (e.g., badge system) to authorized personnel only.
Business implication
- Reduced Risk of Unauthorized Access: Implementing documented procedures for managing physical access to the CDE minimizes the risk of unauthorized individuals gaining access to sensitive areas. This helps protect cardholder data from theft, tampering, or unauthorized modification.
Best practices to meet this requirement
- Develop Access Control Policy: Develop a clear and concise access control policy outlining procedures for granting, managing, and revoking physical access to the CDE.
- Employee Identification Badges: Implement a system for issuing employee identification badges that clearly identify authorized personnel within the CDE.
- Access Request and Approval Process: Establish a formal process for requesting and approving physical access to the CDE. This may involve background checks and justification for access needs.
- Access Reviews: Conduct periodic reviews of personnel access privileges to ensure they are still valid and aligned with current job functions.
- Limited Access to Badge System: Restrict access to the system used for managing identification credentials (e.g., badge system) to authorized personnel within the security department or IT team.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.3.1.a | Examine documented access control policies and procedures. | The assessor will review your documented procedures to verify they cover all elements of this requirement, including identification methods, access change management, access revocation, and limitations on access to the identification system. |
| 9.3.1.b | Observe physical access controls and badge usage within the CDE. | The assessor will observe how personnel are identified within the CDE (e.g., badges) and verify that only authorized individuals are present. |
| 9.3.1.c | Interview personnel responsible for access control and badge management. | The assessor will interview relevant personnel to understand procedures for managing the identification system, including access controls for the system itself. |
PCI DSS Requirement 9.3.1.1: Physical access controls for sensitive areas within the CDE
This requirement focuses on controlling physical access to sensitive areas within the Cardholder Data Environment (CDE). It mandates that access is granted based on:
- Job Function: Access to sensitive areas is authorized and justified by an individual's job function and legitimate business need for access.
- Termination Procedures: Access privileges for terminated personnel are revoked immediately upon termination of employment.
- Returned or Disabled Credentials: All physical access mechanisms (keys, access cards) used by terminated personnel are returned or disabled to prevent unauthorized access.
- Sensitive Areas: Areas within the CDE containing critical systems or data, such as server rooms, data centers, or areas where cardholder data is processed or stored.
Business implication
- Enhanced Data Security: Enforcing strict physical access controls for sensitive areas minimizes the risk of unauthorized individuals gaining access to critical systems and cardholder data. This helps protect sensitive information from theft, tampering, or unauthorized modification.
Best practices to meet this requirement
- Access Control Lists (ACLs): Maintain up-to-date access control lists (ACLs) that clearly define authorized personnel and their access privileges within sensitive areas.
- Least Privilege Principle: Grant access to sensitive areas based on the principle of least privilege, ensuring personnel only have access to the specific areas and data required for their job function.
- Termination Process: Integrate clear procedures for revoking physical access privileges into your employee termination process. This may involve collecting access cards, keys, or deactivating access codes.
- Regular Reviews: Conduct periodic reviews of access control lists to ensure access privileges remain accurate and aligned with current job functions.
- Inventory and Control: Maintain an inventory of all physical access mechanisms (keys, cards) and implement procedures to track their issuance and return.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.3.1.1.a | Observe personnel within sensitive areas of the CDE. | The assessor will observe personnel in sensitive areas and interview them or relevant security personnel to verify their job function and justification for access.They may also review access control lists (ACLs) to verify authorized access. |
| 9.3.1.1.b | Interview personnel responsible for access control and termination procedures. | The assessor will interview relevant personnel to understand procedures for revoking access upon termination. This may involve reviewing termination checklists or procedures. |
| 9.3.1.1.c | Examine access control lists and interview personnel responsible for access control. | The assessor will review access control lists for terminated personnel and interview relevant personnel to verify that all physical access mechanisms were returned or disabled upon termination. |
PCI DSS Requirement 9.3.2: Procedures for authorizing and managing visitor access to the CDE
This requirement focuses on establishing documented procedures for authorizing and managing visitor access to the Cardholder Data Environment (CDE). It mandates procedures to ensure:
- Pre-Authorization: Visitors are authorized for access to the CDE before they arrive on-site.
- Escort Requirement: Visitors are escorted by authorized personnel at all times while within the CDE.
- Visitor Identification: Visitors are clearly identified with badges or other temporary credentials that expire after their visit.
- Distinguishable Badges: Visitor badges or identification must be visually distinguishable from employee badges to easily identify visitors.
Business implication
- Reduced Risk of Security Incidents: Implementing strict visitor access controls minimizes the risk of unauthorized individuals gaining access to the CDE and potentially compromising cardholder data. This helps protect sensitive information and reduces the risk of security incidents.
Best practices to meet this requirement
- Develop Visitor Access Policy: Establish a clear policy outlining procedures for requesting, authorizing, and managing visitor access to the CDE.
- Pre-Approval Process: Implement a process for pre-approving visitor access requests, including verification of the visitor's identity and purpose for the visit.
- Escort Procedures: Develop clear procedures for escorting visitors within the CDE, ensuring they are accompanied by authorized personnel at all times.
- Visitor Badge System: Implement a system for issuing temporary visitor badges or identification that clearly distinguishes them from employee badges and have a defined expiration period.
- Visitor Sign-In/Sign-Out: Maintain a visitor logbook or electronic system for recording visitor arrivals and departures.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.3.2.a | Examine documented visitor access procedures. | The assessor will review your documented procedures to verify they cover all elements of this requirement, including pre-authorization, escort requirements, visitor identification, and badge distinction. |
| 9.3.2.b | Observe visitor access procedures during a visit. | The assessor will observe how visitors are handled upon arrival and throughout their stay in the CDE. This may involve verifying pre-authorization and observing if visitors are escorted at all times. |
| 9.3.2.c & d | Observe visitor badges and how they are used. | The assessor will observe visitor badges and verify they are clearly distinguishable from employee badges. They may also check with personnel to confirm visitor escort procedures. |
| 9.3.2.e | Examine visitor badges and the badging system (if applicable). | The assessor will examine visitor badges to verify they have expiration dates and may observe the badging system (if used) to confirm expiration functionality. |
PCI DSS Requirement 9.3.3: Visitor badge surrender or deactivation
This requirement focuses on ensuring visitor badges or other temporary identification are surrendered or deactivated upon completion of the visit or upon expiration. It mandates that:
- Visitor Badge Collection: Visitor badges or identification are collected from visitors before they leave the facility.
- Badge Deactivation: Alternatively, if a badge system is used, visitor badges are electronically deactivated upon the visit's completion or expiration date.
Business implication
- Mitigates Risk of Unauthorized Access: Collecting or deactivating visitor badges upon departure prevents unauthorized individuals from re-using expired badges to gain access to the facility or the CDE after their visit. This helps maintain physical security and reduces the risk of potential security incidents.
Best practices to meet this requirement
- Visitor Badge Collection Procedures: Establish clear procedures for collecting visitor badges from visitors before they leave the facility. This may involve designated collection points or having escorts ensure badge return.
- Badge Deactivation Process: If using a badge system, implement a process for automatically deactivating visitor badges upon their expiration date or upon notification of a visit's completion.
- Visitor Sign-Out: Integrate visitor badge collection or deactivation with the visitor sign-out process to ensure proper procedures are followed.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.3.3 | Observe visitors leaving the facility and interview personnel responsible for visitor management. | The assessor will observe how visitor badges are handled upon departure. This may involve verifying badge collection procedures or observing badge deactivation within the badge system (if applicable). They will also interview relevant personnel to understand visitor badge return or deactivation procedures. |
PCI DSS Requirement 9.3.4: Visitor logs
This requirement focuses on maintaining a visitor log to document visitor activity within the facility, particularly in sensitive areas. It mandates the visitor log capture the following information:
- Visitor Information: Visitor's name and the organization they represent.
- Access Authorization: Name of the personnel who authorized the visitor's physical access.
- Visit Details: Date and time of the visit, ideally including both entry and exit times.
The requirement also specifies that the visitor log must be retained for a minimum of three months, unless legal regulations dictate a longer retention period.
Business implication
- Enhanced Accountability: Maintaining a visitor log provides an audit trail of visitor access, enabling identification of individuals who may have accessed sensitive areas. This helps with accountability and investigation in case of security incidents.
Best practices to meet this requirement
- Visitor Log Format: Implement a visitor log in a physical logbook or an electronic system that is easy to use and maintain.
- Visitor Registration: Require visitors to register upon arrival, capturing all required information in the visitor log.
- Entry/Exit Times: Capture both entry and exit times in the visitor log for better tracking and verification of visitor presence.
- ID Verification: Verify a visitor's identity (e.g., driver's license) against the information they provide in the visitor log.
- Secure Log Storage: Store the visitor log in a secure location to prevent unauthorized access or modification.
- Regular Reviews: Periodically review visitor logs to identify any suspicious activity or trends.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.3.4.a | Examine the visitor log and interview personnel responsible for visitor management. | The assessor will review the visitor log to verify its existence and usage for recording visitor access. They will also interview relevant personnel to understand visitor log procedures. |
| 9.3.4.b | Examine the visitor log entries to verify they capture the required information:Visitor name and organizationName of authorizing personnelDate and time of visit (entry and exit if possible) | The assessor will review sample entries in the visitor log to confirm they contain all the mandated information. |
| 9.3.4.c | Examine visitor log storage locations and interview personnel responsible for record retention. | The assessor will verify the secure storage location of the visitor log and interview relevant personnel to confirm the log is retained for at least three months (or as per legal requirements). |
PCI DSS requirement 9.4: Media with cardholder data is securely stored, accessed, distributed, and destroyed.
PCI DSS Requirement 9.4.1: Physical security for media with cardholder data
This requirement focuses on implementing physical security controls to safeguard all media containing cardholder data. This includes:
- Media Types: Applies to all forms of media that store cardholder data, including hard drives, backup tapes, printed reports, and portable devices (e.g., USB drives).
- Security Measures: Media with cardholder data must be stored in a secure location with restricted access, such as locked cabinets, safes, or secure rooms.
Business implication
- Reduced Risk of Data Breaches: Physically securing media with cardholder data minimizes the risk of unauthorized access, theft, or loss. This helps protect sensitive information and reduces the potential for data breaches that could damage your reputation and incur financial penalties.
Best practices to meet this requirement
- Develop Media Security Policy: Establish a clear policy outlining procedures for handling, storing, and disposing of media containing cardholder data.
- Inventory and Classification: Maintain an inventory of all media containing cardholder data and classify them based on sensitivity.
- Secure Storage Locations: Store media with cardholder data in designated secure locations with restricted access controls (locks, access cards).
- Encryption: Consider encrypting media containing sensitive cardholder data for additional protection.
- Supervision and Control: Implement procedures to ensure media with cardholder data is supervised and controlled during transport or use.
- Secure Disposal: Develop procedures for securely disposing of media containing cardholder data when it's no longer required.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.1 | Examine documented media security policies and procedures. | The assessor will review your documented procedures to verify they address physical security controls for all media containing cardholder data. |
| 9.4.1 | Observe the storage locations for media with cardholder data. | The assessor will visit storage locations to verify they are secure (locked cabinets, safes, etc.) and access is restricted. |
This requirement is further divided into 9.4.1.1 and 9.4.1.2
PCI DSS Requirement 9.4.1.1: Secure storage for offline media backups
This requirement focuses on ensuring that offline media backups containing cardholder data are stored in a secure location. This includes:
- Offline Media Backups: Removable media (tapes, disks) used for creating backup copies of data containing cardholder information.
- Secure Storage Location: The media must be stored in a location with restricted access controls that minimizes the risk of unauthorized access, theft, or loss.
Business implication
- Protecting Sensitive Backup Data: Storing offline media backups in a secure location helps safeguard sensitive cardholder data even if the primary storage systems are compromised. This reduces the risk of a complete data loss scenario and potential financial penalties associated with a breach.
Best practices to meet this requirement
- Secure Storage Options: Consider storing offline media backups in one or more of the following secure locations:
- Off-site facility (e.g., data center, disaster recovery site)
- Secure room within your facility with restricted access controls
- Fireproof safe or locked cabinet
- Access Control Procedures: Implement access control procedures to restrict access to the storage location where backup media is kept. This may involve physical access controls (locks) or logical access controls (passwords).
- Environmental Controls: Maintain appropriate environmental controls (temperature, humidity) in the storage location to prevent damage to the backup media.
- Inventory and Tracking: Maintain an inventory of all offline media backups and implement procedures to track their movement and usage.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.1.1.a | Examine documented media security policies and procedures. | The assessor will review your documented procedures to verify they address secure storage for offline media backups with cardholder data. |
| 9.4.1.1.b | Examine logs or other documentation and interview personnel responsible for backup storage. | The assessor will review logs or documentation (e.g., receipts from a storage facility) to verify the storage location. They will also interview relevant personnel to understand access control procedures and security measures at the storage location. |
PCI DSS Requirement 9.4.1.2: Review of offline media backup security
This requirement focuses on conducting periodic reviews of the security controls implemented at the location(s) where offline media backups containing cardholder data are stored. It mandates that these reviews are performed at least once every 12 months.
- Offline Media Backups: Includes any removable media (tapes, disks) used for creating backup copies of data containing cardholder information.
- Security Review Scope: The review should assess the effectiveness of the implemented security controls at the backup storage location.
Business implication
- Mitigating Risks Associated with Backups: Regularly reviewing the security of offline media backup locations helps ensure the effectiveness of controls in place. This minimizes the risk of unauthorized access, theft, or damage to backup media, potentially compromising sensitive cardholder data.
Best practices to meet this requirement
- Develop Review Procedures: Establish documented procedures outlining the scope, methodology, and frequency of security reviews for offline media backup locations.
- Review Team: Assign a qualified team to conduct the security review, with expertise in physical security controls.
- Review Checklist: Develop a checklist to ensure all critical security aspects of the backup location are assessed during the review. This may include access controls, environmental controls (fire suppression), and monitoring procedures.
- Review Documentation: Maintain records of security review findings, corrective actions taken, and the next review date.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.1.2.a | Examine documented procedures for reviewing the security of offline media backup locations. | The assessor will review your documented procedures to verify they mandate reviews of backup location security at least annually. |
| 9.4.1.2.b | Examine documented review reports, logs, or other evidence. | The assessor will review records of past security reviews conducted for the backup location(s). This may include reports, logs, or checklists used during the review. |
| 9.4.1.2.b | Interview personnel responsible for the backup location. | The assessor will interview relevant personnel at the storage facility to understand how security reviews are conducted and the frequency of these reviews. |
PCI DSS Requirement 9.4.2: Classification of media with cardholder data
This requirement focuses on classifying all media containing cardholder data based on the sensitivity of the information it stores. This classification helps determine the appropriate level of security controls needed to protect the data.
- Media Types: Applies to all forms of media that store cardholder data, including hard drives, backup tapes, printed reports, and portable devices (e.g., USB drives).
- Data Sensitivity: The classification scheme should consider factors like the type of cardholder data stored (full magnetic stripe data, PAN only), the volume of data, and the potential impact of a data breach.
Business implication
- Optimized Security Measures: Classifying media by data sensitivity allows for a risk-based approach to security. You can prioritize stricter security controls for media containing highly sensitive cardholder data (e.g., full magnetic stripe data), reducing overall security costs while maintaining data protection.
Best practices to meet this requirement
- Develop Classification Scheme: Establish a documented data classification scheme that defines different sensitivity levels for cardholder data (e.g., high, medium, low).
- Classification Criteria: Define clear criteria within your classification scheme to determine the appropriate sensitivity level for different types of cardholder data.
- Media Labeling: Consider labeling media with cardholder data to reflect its classification level. This can be done through physical labels or logical tagging within file systems.
- Security Control Mapping: Develop a mapping that links data sensitivity levels to specific security controls. This ensures that media with higher classified data receives the necessary level of protection (e.g., stronger encryption, stricter access controls).
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.2.a | Examine documented media security policies and procedures. | The assessor will review your documented procedures to verify they outline a process for classifying media with cardholder data based on sensitivity. |
| 9.4.2.b | Examine media logs or other documentation (e.g., labeling). | The assessor will review logs or documentation associated with media containing cardholder data. This may involve examining media labels or reviewing entries in data inventory systems to verify classification is documented. |
PCI DSS Requirement 9.4.3: Securing media sent outside the facility
This requirement focuses on securing and tracking media containing cardholder data whenever it's sent outside your facility. It mandates the following practices:
- Media Logging: All media containing cardholder data sent outside the facility must be logged before shipment. The log should capture relevant details about the media and its contents.
- Secure Delivery Methods: Media must be shipped using a secure courier service or other traceable delivery method. This ensures the shipment can be tracked throughout its journey.
- Off-site Tracking: Maintain off-site tracking logs that document the location and status of media sent outside the facility.
Business implication
- Reduced Risk of Data Loss or Theft: Securing and tracking media shipments minimizes the risk of data loss or theft during transportation. This helps protect sensitive cardholder information and reduces the potential for financial penalties and reputational damage in case of a breach.
Best practices to meet this requirement
- Develop Secure Shipment Procedures: Establish documented procedures for securely sending media containing cardholder data outside the facility. These procedures should address logging, selection of secure delivery methods, and tracking requirements.
- Pre-approved Courier Services: Maintain a list of pre-approved courier services that meet your security standards for secure and traceable deliveries.
- Media Shipment Tracking: Implement a system for tracking media shipments throughout their journey, from pick-up to delivery. This may involve using online tracking tools provided by the courier service or maintaining a separate internal tracking log.
- Chain of Custody: Consider implementing a chain-of-custody process to document the transfer of responsibility for the media throughout the shipment process.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.3.a | Examine documented media security policies and procedures for sending media outside the facility. | The assessor will review your documented procedures to verify they cover all aspects of securing media shipments, including logging, secure delivery methods, and off-site tracking. |
| 9.4.3.b | Interview personnel responsible for media handling and examine media shipment records. | The assessor will interview relevant personnel to understand how media shipments are handled and secured. They will also review records of past media shipments to verify logging and usage of secure delivery methods. |
| 9.4.3.c | Examine off-site tracking logs for media shipments. | The assessor will review your off-site tracking logs to verify they document details about the location and status of media sent outside the facility. |
PCI DSS Requirement 9.4.4: Management approval for media movement
This requirement focuses on ensuring that any media containing cardholder data receives management approval before it is moved outside the facility. This includes situations where the media is distributed to individual employees.
- Media Scope: Applies to all forms of media that store cardholder data, including hard drives, backup tapes, printed reports, and portable devices (e.g., USB drives).
- Management Approval: The organization's management must formally approve the movement of media containing cardholder data outside the facility. This approval process helps ensure proper oversight and accountability for sensitive data.
Business implication
- Reduced Risk of Unauthorized Data Removal: Management approval acts as a control mechanism to prevent unauthorized removal of media with cardholder data from your facility. This minimizes the risk of data breaches and potential financial penalties associated with them.
Best practices to meet this requirement
- Develop Media Movement Policy: Establish a documented policy outlining the procedures for requesting, approving, and tracking the movement of media containing cardholder data outside the facility.
- Approval Process: Define a clear process for obtaining management approval for media movement. This may involve a formal request form with justifications for the movement and details about the media contents.
- Management Roles: Designate specific individuals within management who have the authority to approve media movement requests. These individuals should have a clear understanding of data security risks.
- Training: Provide training to employees on the media movement policy and the importance of obtaining management approval before moving media containing cardholder data.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.4.a | Examine documented media security policies and procedures for media movement. | The assessor will review your documented procedures to verify they mandate management approval for all media containing cardholder data moved outside the facility. |
| 9.4.4.b | Examine off-site media tracking logs and interview relevant personnel. | The assessor will review off-site tracking logs to verify that entries include a record of management approval for each media movement. They will also interview personnel responsible for media movement to understand how they obtain and document management approval. |
PCI DSS Requirement 9.4.5: Inventory logs for electronic media with cardholder data
This requirement focuses on maintaining accurate inventory logs of all electronic media that stores cardholder data. This includes devices like hard drives, solid-state drives, and removable storage media (USB drives, external hard drives) containing cardholder information.
- Electronic Media: This requirement applies specifically to electronic media devices used for storing cardholder data. Paper media with cardholder data is covered under a different PCI DSS requirement.
Business implication
- Enhanced Detection of Missing Media: Maintaining accurate inventory logs allows you to track all electronic media containing cardholder data. This facilitates easier identification of missing media, potentially indicating a security incident (theft, loss) that requires investigation and remediation.
Best practices to meet this requirement
- Develop Media Inventory Procedures: Establish documented procedures for creating, maintaining, and updating inventory logs of electronic media with cardholder data.
- Inventory Details: The inventory log should capture relevant details about each electronic media device, such as:
- Device type (hard drive, USB drive, etc.)
- Serial number or other unique identifier
- Capacity
- Location (physical or logical)
- Content type (e.g., backups, application data)
- Regular Inventory Updates: Implement procedures for periodically updating the inventory log to reflect any changes in the media landscape (new devices added, old ones removed, content updates).
- Automated Inventory Systems: Consider using automated inventory management systems to streamline the process of tracking and updating electronic media inventory.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.5.a | Examine documented media security policies and procedures for inventory management. | The assessor will review your documented procedures to verify they outline a process for maintaining inventory logs of electronic media containing cardholder data. |
| 9.4.5.b | Examine electronic media inventory logs and interview personnel responsible for inventory management. | The assessor will review your inventory logs to verify they capture the required details and appear to be accurate. They will also interview relevant personnel to understand how inventory logs are maintained and updated. |
PCI DSS Requirement 9.4.6: Secure destruction of hard-copy materials with cardholder data
This requirement focuses on the secure destruction of hard-copy materials containing cardholder data when they are no longer needed for business or legal reasons. It mandates specific methods for destruction and secure storage before disposal.
- Hard-Copy Materials: This applies to any physical documents or printed reports that contain cardholder data (e.g., receipts, account statements).
- Secure Destruction Methods: The requirement specifies three acceptable methods for destroying hard-copy materials: cross-cut shredding, incineration, or pulping. These methods ensure that the data cannot be reconstructed by unauthorized individuals.
- Secure Storage: Prior to destruction, hard-copy materials with cardholder data must be stored in secure containers to prevent unauthorized access.
Business implication
- Reduced Risk of Data Breaches: Securely destroying hard-copy materials containing cardholder data minimizes the risk of information falling into the wrong hands through methods like dumpster diving. This helps protect sensitive data and reduces the potential for financial penalties and reputational damage associated with a data breach.
Best practices to meet this requirement
- Develop Media Destruction Policy: Establish a documented policy outlining procedures for securely destroying hard-copy materials containing cardholder data.
- Approved Destruction Methods: Specify the approved methods for destroying hard-copy materials (cross-cut shredding, incineration, pulping) in your policy.
- Secure Storage Containers: Use secure containers that prevent unauthorized access to store hard-copy materials awaiting destruction. Consider using locked bins or containers with tamper-evident seals.
- Vendor Services: You can outsource the secure destruction of hard-copy materials to a reputable data destruction vendor. Ensure they provide documented proof of secure disposal practices.
- Employee Training: Train employees on the importance of secure data disposal and proper handling of hard-copy materials containing cardholder data.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.6.a | Examine documented media destruction policy. | The assessor will review your documented policy to verify it outlines procedures for destroying hard-copy materials with cardholder data in accordance with the requirement (destruction methods, secure storage). |
| 9.4.6.b | Observe the destruction process and interview personnel. | The assessor will observe the destruction process (shredding, incineration) to verify it renders the data unreadable. They will also interview personnel responsible for destruction to understand their procedures. |
| 9.4.6.c | Observe secure storage containers used for materials awaiting destruction. | The assessor will observe the containers used for storing hard-copy materials before destruction. They will verify the containers are secure and prevent unauthorized access to the data. |
PCI DSS Requirement 9.4.7: Secure destruction of electronic media with cardholder data
This requirement focuses on the secure destruction of electronic media containing cardholder data when it's no longer needed for business or legal reasons. It allows for two main approaches: physical destruction of the media or rendering the data unrecoverable through secure deletion techniques.
- Electronic Media: This applies to any electronic storage device that holds cardholder data, such as hard drives, solid-state drives, and removable media (USB drives).
- Secure Destruction Methods: The requirement provides two options for secure destruction:
- Media Destruction: Physically destroying the electronic media to render the data unreadable (e.g., shredding hard drives).
- Data Overwriting: Using software tools to overwrite the data on the media with random patterns multiple times, making it unrecoverable using standard techniques.
Business implication
- Reduced Risk of Data Breaches: Securely destroying electronic media containing cardholder data minimizes the risk of unauthorized individuals recovering information even from disposed media. This helps protect sensitive data and reduces the potential for financial penalties and reputational damage associated with a data breach.
Best practices to meet this requirement
- Develop Media Destruction Policy: Establish a documented policy outlining procedures for securely destroying electronic media containing cardholder data when it's no longer needed.
- Approved Destruction Methods: Specify the approved methods for destroying electronic media in your policy (physical destruction, secure data overwriting techniques).
- Data Overwriting Tools: Use software tools specifically designed for secure data deletion that meet industry-accepted standards. These tools overwrite the data on the media multiple times with random patterns.
- Verification of Destruction: Implement procedures to verify that the data on the media has been successfully destroyed (e.g., using data wiping verification tools).
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.4.7.a | Examine documented media destruction policy. | The assessor will review your documented policy to verify it outlines procedures for destroying electronic media with cardholder data in accordance with the requirement (destruction methods). |
| 9.4.7.b | Observe the media destruction process (if applicable) and interview personnel. | The assessor will observe the media destruction process (physical destruction, data overwriting) if feasible. They will interview personnel responsible for destruction to understand their procedures and the tools used for secure data deletion. |
PCI DSS requirement 9.5: Point of interaction (POI) devices are protected from tampering and unauthorized substitution.
This PCI DSS requirement is further divided into 9.5.1, 9.5.1.1, 9.5.1.2, and 9.5.1.3. Let's explore these in detail.
PCI DSS Requirement 9.5.1: Protecting point-of-interaction (POI) devices
This requirement focuses on protecting Point-of-Interaction (POI) devices from tampering and unauthorized substitution. POI devices are those that capture payment card data directly through physical interaction with the card (e.g., swiping, dipping, tapping).
- POI Devices: This applies to dedicated electronic devices used for capturing payment card data at physical locations (card readers, terminals). It excludes manual entry methods like keyboards.
- Protection Measures: The requirement mandates three key measures to protect POI devices:
- Inventory Management: Maintain an up-to-date list of all POI devices deployed within your environment. This list should include details like device type, serial number, and location.
- Regular Inspections: Conduct periodic inspections of POI devices to identify any signs of tampering (physical alterations, suspicious attachments) or unauthorized substitution (a different device present than what's listed in the inventory).
- Personnel Awareness: Train employees who interact with POI devices to be aware of suspicious behavior and how to report any instances of tampering or unauthorized substitution.
Business implication
- Reduced Risk of Card Data Skimming: Effective protection of POI devices helps prevent criminals from installing skimming devices that capture cardholder data during transactions. This reduces the risk of financial losses due to fraudulent card activity and potential fines associated with data breaches.
Best practices to meet this requirement
- Develop POI Device Security Policy: Establish a documented policy outlining procedures for managing and protecting POI devices. This policy should address inventory management, inspection procedures, and employee training.
- Inventory Management System: Implement a system for tracking all POI devices within your environment. This could be a dedicated software tool or a physical inventory log.
- Scheduled Inspections: Define a schedule for conducting regular inspections of POI devices. These inspections should be performed by trained personnel who can identify signs of tampering.
- Employee Training: Train employees who handle POI devices on how to identify suspicious activity and report any potential tampering attempts.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.5.1.a | Examine documented policies and procedures for POI device management. | The assessor will review your documented procedures to verify they cover all elements of this requirement (inventory management, inspections, employee training). |
| 9.5.1.b | Review POI device inventory list and interview personnel responsible for inspections. | The assessor will examine your POI device inventory list to verify its completeness and accuracy. They will also interview personnel responsible for inspections to understand their procedures and how they identify signs of tampering. |
PCI DSS Requirement 9.5.1.1: Maintaining an up-to-date list of POI devices
This requirement focuses on maintaining a comprehensive and accurate list of all Point-of-Interaction (POI) devices within your environment. POI devices are those used for capturing payment card data through physical interaction with the card (swiping, dipping, tapping).
- POI Device Inventory: The requirement mandates maintaining a list that includes specific details about each POI device you possess.
- Make and Model: Identify the manufacturer and specific model of the POI device.
- Location: Specify the physical location where the POI device is deployed (e.g., store address, department).
- Unique Identifier: Include a unique identifier for each device, such as the serial number or another assigned ID.
Business implication
- Enhanced Detection of Missing Devices: An accurate POI device inventory allows you to track all devices and quickly identify any missing equipment. This helps detect potential security incidents like device theft or unauthorized removal, which could lead to card data breaches.
Best practices to meet this requirement
- Develop POI Device Inventory System: Establish a system for tracking all POI devices within your environment. This could be a dedicated software tool, a spreadsheet, or a physical inventory log.
- Inventory Update Procedures: Define procedures for updating the POI device inventory whenever there are changes (adding new devices, relocating existing ones, decommissioning old devices).
- Regular Inventory Reconciliation: Periodically reconcile your physical inventory of POI devices with the documented list to ensure accuracy.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.5.1.1.a | Examine the documented POI device inventory list. | The assessor will review your POI device inventory to verify it includes all the required details (make/model, location, unique identifier) for each device. |
| 9.5.1.1.b | Observe a sample of POI devices and their locations and compare them to the inventory list. | The assessor will select a sample of POI devices and physically verify their presence at the locations listed in the inventory. |
| 9.5.1.1.c | Interview personnel responsible for POI device management. | The assessor will interview personnel responsible for managing POI devices to understand their procedures for updating the inventory list when there are changes (additions, removals, relocations). |
PCI DSS Requirement 9.5.1.2: Periodic inspections of POI device surfaces
This requirement focuses on conducting regular inspections of Point-of-Interaction (POI) device surfaces to detect signs of tampering or unauthorized substitution. POI devices are those used for capturing payment card data through physical interaction with the card (swiping, dipping, tapping).
- POI Device Inspections: The requirement mandates regular visual inspections of POI devices to identify any physical alterations or indications that the device might have been tampered with or replaced with a fraudulent one.
Business implication
- Early Detection of Skimming Devices: Regular inspections of POI devices help identify skimming attachments or fraudulent devices before they can be used to capture cardholder data. This minimizes the potential financial losses from fraudulent transactions and the reputational damage associated with a data breach.
Best practices to meet this requirement
- Develop POI Device Inspection Procedures: Establish documented procedures outlining the process for conducting periodic inspections of POI devices. These procedures should specify the frequency of inspections, what to look for during inspections, and who is responsible for conducting them.
- Inspection Training: Train personnel responsible for inspecting POI devices on how to identify potential signs of tampering, such as unusual attachments, changes in device appearance, or damaged security labels.
- Inspection Checklists: Develop checklists to guide inspectors during their examination of POI devices. These checklists should list specific areas to examine and potential signs of tampering.
- Documentation of Inspections: Maintain records of completed POI device inspections, including the date, inspector name, any observations made, and any corrective actions taken.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.5.1.2.a | Examine documented procedures for POI device inspections. | The assessor will review your documented procedures to verify they outline a process for periodically inspecting POI device surfaces for signs of tampering and unauthorized substitution. |
| 9.5.1.2.b | Interview personnel responsible for inspections and observe the inspection process (if applicable). | The assessor will interview personnel responsible for conducting inspections to understand their training and how they identify signs of tampering. They may also observe the inspection process if feasible to verify proper procedures are followed. |
PCI DSS Requirement 9.5.1.3: Training for personnel in POI environments
This requirement focuses on providing training to personnel who work in Point-of-Interaction (POI) environments to ensure they are aware of potential tampering attempts and understand procedures for protecting POI devices. POI devices are those used for capturing payment card data through physical interaction with the card (swiping, dipping, tapping).
- POI Environment Personnel: This applies to any employee who works in an area where POI devices are located, including cashiers, sales associates, and maintenance staff.
- Security Awareness Training: The requirement mandates training that covers specific areas related to POI device security:
- Verifying Third-Party Personnel: Employees should be trained on how to verify the identity of anyone claiming to be maintenance or repair personnel before granting them access to POI devices. This includes verifying work orders and contacting the authorized maintenance company for confirmation.
- Device Verification Procedures: Personnel should understand procedures for ensuring proper installation, replacement, or return of POI devices. This may involve verifying device details against an inventory list before deployment.
- Suspicious Activity Awareness: Employees need to be trained to identify suspicious behavior around POI devices, such as unauthorized individuals tampering with devices or attempting to unplug them.
- Reporting Procedures: Personnel should be aware of established procedures for reporting any suspicious activity or indications of device tampering or substitution. This may involve reporting to a manager, security officer, or designated contact.
Business implication
- Reduced Risk of Social Engineering Attacks: Training employees to be vigilant and identify suspicious behavior around POI devices helps prevent criminals from posing as authorized personnel to gain access and tamper with devices. This minimizes the risk of card data breaches and associated financial losses.
Best practices to meet this requirement
- Develop POI Security Awareness Program: Establish a formal training program to educate personnel in POI environments about protecting these devices.
- Training Content: Include all elements specified in the requirement within your training program.
- Verification Procedures: Clearly define procedures for verifying the identity of third-party personnel and verifying devices before installation, replacement, or return.
- Suspicious Activity Guidance: Provide clear examples of suspicious behavior around POI devices to help employees identify potential threats.
- Reporting Channels: Establish clear communication channels for employees to report suspicious activity or concerns about POI device tampering.
How to comply with this PCI DSS requirement
| Requirement | Actions required | How the assessment is done |
|---|---|---|
| 9.5.1.3.a | Review training materials for POI environment personnel. | The assessor will review your training materials to verify they cover all elements of this requirement (verifying third-party personnel, device verification procedures, suspicious activity awareness, reporting procedures). |
| 9.5.1.3.b | Interview personnel in POI environments to verify training completion and understanding. | The assessor will interview personnel who work in POI environments to ensure they have received training and understand the procedures for all elements specified in the requirement. |
