PCI requirement 9: is your physical data security strong enough?
Start an inventory for PCI requirement 9
You can’t protect cardholder data if you don’t know where it is. Start by creating an inventory of all systems that store, process, transmit or can affect the security of cardholder data. List applications running on these systems, including version number, so you can stay on top of known vulnerabilities. Identify the physical locations of these systems and who should have access to them.
Servers, firewalls, workstations and laptops are easy to remember, but keep in mind other items that need to be physically protected, such as:
- Wireless access points
- Network jacks
- Telecommunication lines
- External hard drives
- Paper records
Restrict and monitor access to payment card data
SEE ALSO: Keep Employees on a Need-to-Know Basis: A Look at PCI Requirement 7
It’s important to have a way to identify employees and visitors and tell them apart, such as badges. You also need a way to monitor and log anyone who accesses a sensitive area, such as video cameras and access logs.
Make sure you have a way to remove access when a visitor’s stay ends or an employee is terminated. Ensure that all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
If your organization collects credit card info in a similar manner, any paper forms should be designed to keep sensitive information separate from the rest of the order info.
POS devicesIf your organization has card-reading POS devices used in card-present transactions (e.g. swipe or dip), the PCI DSS includes specific requirements for protecting them:
- Maintain an up-to-date list of all devices, including physical location, serial numbers, and make/model.
- Periodically inspect devices to ensure they haven’t been tampered with. Make sure serial numbers match, and check that seals haven’t been broken.
- Provide training to help staff conduct good device inspections, detect suspicious activity around payment devices, and know what to do when third parties claim they need to work on the system.
SEE ALSO: This Video will help you better understand PCI Requirement 9 & Physical Data Security.
Securely delete credit card dataThe best way to keep cardholder data secure is not to retain it any longer than is strictly necessary. Create a schedule to review when it’s necessary to securely destroy media containing cardholder data when it is no longer needed.
SEE ALSO: How to Permanently Delete Files with Sensitive Data
- Keep doors to secure areas closed and locked
- Store mobile devices in secure areas when not in use
- Use screensavers and privacy monitors on computers
- Install and use blinds in office windows
- Include physical security in your security awareness program
Jen Stone (MSCIS, CISSP, QSA) is a Principal Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.