PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum > Payment Card Industry Data Security Standard Frequently Asked Questions (PCI DSS FAQ) > Implement Strong Access Control Measures > [PCI_DSS] Requirement 9: Restrict physical access to cardholder data

1. 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
2. 9.1.1 Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
3. 9.1.2 Restrict physical access to publicly accessible network jacks
4. 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices
5. 9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. Employee refers to full-time and part-time employees, temporary employees and personnel, and consultants who are resident on the entity's site. A visitor is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
6. 9.3 Make sure all visitors are handled as follows: (9.3.1 to 9.3.3)
7. 9.3.1 Authorized before entering areas where cardholder data is processed or maintained
8. 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees
9. 9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration
10. 9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law.
11. 9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility.
12. 9.6 Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data
13. 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data: including the following
14. 9.7.1 Classify the media so it can be identified as confidential
15. 9.7.2 Send the media by secured courier or other delivery method that can be accurately tracked
16. 9.8 Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals).
17. 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data.
18. 9.9.1 Properly inventory all media and make sure it is securely stored.
19. 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows
20. 9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials
21. 9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed

vBulletin® v3.7.4, Copyright ©2000-2009, Jelsoft Enterprises Ltd.