• 9.1
• 9.1.1
• 9.1.2
• 9.1.3

Requirement 9.1

Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

Testing Procedure

9.1
Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.

• Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.
• Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder environment and verify that they are “locked” to prevent unauthorized use.

Guidance

Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data.

Locking console login screens prevents unauthorized persons from gaining access to sensitive information, altering system configurations, introducing vulnerabilities into the network, or destroying records.

• 9.1
• 9.1.1
• 9.1.2
• 9.1.3

Requirement 9.1.1

Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

Note: “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.

Testing Procedure

9.1.1.a
Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas.

9.1.1.b
Verify that video cameras and/or access control mechanisms are protected from tampering or disabling.

9.1.1.c
Verify that data from video cameras and/or access control mechanisms is reviewed, and that data is stored for at least three months.

Guidance

When investigating physical breaches, these controls can help identify the individuals that physically accessed the sensitive areas, as well as when they entered and exited.

Criminals attempting to gain physical access to sensitive areas will often attempt to disable or bypass the monitoring controls. To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be monitored to detect tampering. Similarly, access control mechanisms could be monitored or have physical protections installed to prevent them being damaged or disabled by malicious individuals.

Examples of sensitive areas include corporate database server rooms, back-office rooms at retail locations that store cardholder data, and storage areas for large quantities of cardholder data. Sensitive areas should be identified by each organization to ensure the appropriate physical monitoring controls are implemented.

• 9.1
• 9.1.1
• 9.1.2
• 9.1.3

Requirement 9.1.2

Implement physical and/or logical controls to restrict access to publicly accessible network jacks.

For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.

Testing Procedure

9.1.2
Interview responsible personnel and observe locations of publicly accessible network jacks to verify that physical and/or logical controls are in place to restrict access to publicly accessible network jacks.

Guidance

Restricting access to network jacks (or network ports) will prevent malicious individuals from plugging into readily available network jacks and gain access into internal network resources.

Whether logical or physical controls, or a combination of both, are used, they should be sufficient to prevent an individual or device that is not explicitly authorized from being able to connect to the network.

• 9.1
• 9.1.1
• 9.1.2
• 9.1.3

Requirement 9.1.3

Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

Testing Procedure

9.1.3
Verify that physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines is appropriately restricted.

Guidance

Without security over access to wireless components and devices, malicious users could use an organization’s unattended wireless devices to access network resources, or even connect their own devices to the wireless network to gain unauthorized access. Additionally, securing networking and communications hardware prevents malicious users from intercepting network traffic or physically connecting their own devices to wired network resources.

• 9.2

Requirement 9.2

Develop procedures to easily distinguish between onsite personnel and visitors, to include:

• Identifying onsite personnel and visitors (for example, assigning badges)
• Changes to access requirements
• Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).

Testing Procedure

9.2.a
Review documented processes to verify that procedures are defined for identifying and distinguishing between onsite personnel and visitors.

• Verify procedures include the following:
• Identifying onsite personnel and visitors (for example, assigning badges), authentication method(s).
• Changing access requirements, and
• Revoking terminated onsite personnel and expired visitor identification (such as ID badges)

9.2.b
Examine identification methods (such as ID badges) and observe processes for identifying and distinguishing between onsite personnel and visitors to verify that:

• Visitors are clearly identified, and
• It is easy to distinguish between onsite personnel and visitors.

9.2.c
Verify that access to the identification process (such as a badge system) is limited to authorized personnel.

Guidance

Identifying authorized visitors so they are easily distinguished from onsite personnel prevents unauthorized visitors from being granted access to areas containing cardholder data.

• 9.3

Requirement 9.3

Control physical access for onsite personnel to sensitive areas as follows:

• Access must be authorized and based on individual job function.
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.

Testing Procedure

9.3.a
For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:

• Access to the sensitive area is authorized.
• Access is required for the individual’s job function.

9.3.b
Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access.

9.3.c
Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to sensitive areas.

Guidance

Controlling physical access to sensitive areas helps ensure that only authorized personnel with a legitimate business need are granted access.

When personnel leave the organization, all physical access mechanisms should be returned or disabled promptly (as soon as possible) upon their departure, to ensure personnel cannot gain physical access to sensitive areas once their employment has ended.

• 9.4
• 9.4.1
• 9.4.2
• 9.4.3
• 9.4.4

Requirement 9.4

Implement procedures to identify and authorize visitors. Procedures should include the following:

Testing Procedure

9.4
Verify that visitor authorization and access controls are in place as follows:

Guidance for 9.4 through 9.4.4

Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities (and potentially, to cardholder data).

Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.

A visitor log documenting minimum information on the visitor is easy and inexpensive to maintain and will assist in identifying physical access to a building or room, and potential access to cardholder data.

• 9.4
• 9.4.1
• 9.4.2
• 9.4.3
• 9.4.4

Requirement 9.4.1

Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.

Testing Procedure

9.4.1.a
Observe procedures and interview personnel to verify that visitors must be authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained.

9.4.1.b
Observe the use of visitor badges or other identification to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained.

Guidance for 9.4 through 9.4.4

Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities (and potentially, to cardholder data).

Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.

A visitor log documenting minimum information on the visitor is easy and inexpensive to maintain and will assist in identifying physical access to a building or room, and potential access to cardholder data.

• 9.4
• 9.4.1
• 9.4.2
• 9.4.3
• 9.4.4

Requirement 9.4.2

Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.

Testing Procedure

9.4.2.a
Observe people within the facility to verify the use of visitor badges or other identification, and that visitors are easily distinguishable from onsite personnel.

9.4.2.b
Verify that visitor badges or other identification expire.

Guidance for 9.4 through 9.4.4

Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities (and potentially, to cardholder data).

Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.

A visitor log documenting minimum information on the visitor is easy and inexpensive to maintain and will assist in identifying physical access to a building or room, and potential access to cardholder data.

• 9.4
• 9.4.1
• 9.4.2
• 9.4.3
• 9.4.4

Requirement 9.4.3

Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.

Testing Procedure

9.4.3
Observe visitors leaving the facility to verify visitors are asked to surrender their badge or other identification upon departure or expiration.

Guidance for 9.4 through 9.4.4

Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities (and potentially, to cardholder data).

Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.

A visitor log documenting minimum information on the visitor is easy and inexpensive to maintain and will assist in identifying physical access to a building or room, and potential access to cardholder data.

• 9.4
• 9.4.1
• 9.4.2
• 9.4.3
• 9.4.4

Requirement 9.4.4

A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.

Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.

Retain this log for a minimum of three months, unless otherwise restricted by law.

Testing Procedure

9.4.4.a
Verify that a visitor log is in use to record physical access to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.

9.4.4.b
Verify that the log contains:

• The visitor’s name,
• The firm represented, and
• The onsite personnel authorizing physical access

9.4.4.c
Verify that the log is retained for at least three months.

Guidance for 9.4 through 9.4.4

Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities (and potentially, to cardholder data).

Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.

A visitor log documenting minimum information on the visitor is easy and inexpensive to maintain and will assist in identifying physical access to a building or room, and potential access to cardholder data.

• 9.5
• 9.5.1

Requirement 9.5

Physically secure all media.

Testing Procedure

9.5
Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes).

Guidance

Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any type of media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.

• 9.5
• 9.5.1

Requirement 9.5.1

Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.

Testing Procedure

9.5.1.a
Observe the storage location’s physical security to confirm that backup media storage is secure.

9.5.1.b
Verify that the storage location security is reviewed at least annually.

Guidance

If stored in a non-secured facility, backups that contain cardholder data may easily be lost, stolen, or copied for malicious intent.

9.5.1.b
Periodically reviewing the storage facility enables the organization to address identified security issues in a timely manner, minimizing the potential risk.

• 9.6
• 9.6.1
• 9.6.2
• 9.6.3

Requirement 9.6

Maintain strict control over the internal or external distribution of any kind of media, including the following:

Testing Procedure

9.6
Verify that a policy exists to control distribution of media, and that the policy covers all distributed media including that distributed to individuals.

Guidance

Procedures and processes help protect cardholder data on media distributed to internal and/or external users. Without such procedures data can be lost or stolen and used for fraudulent purposes.

• 9.6
• 9.6.1
• 9.6.2
• 9.6.3

Requirement 9.6.1

Classify media so the sensitivity of the data can be determined.

Testing Procedure

9.6.1
Verify that all media is classified so the sensitivity of the data can be determined.

Guidance

It is important that media be identified such that its classification status can be easily discernible. Media not identified as confidential may not be adequately protected or may be lost or stolen.

Note: This does not mean the media needs to have a “Confidential” label attached; the intent is that the organization has identified media that contains sensitive data so it can protect it.

• 9.6
• 9.6.1
• 9.6.2
• 9.6.3

Requirement 9.6.2

Send the media by secured courier or other delivery method that can be accurately tracked.

Testing Procedure

9.6.2.a
Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.

9.6.2.a
Select a recent sample of several days of offsite tracking logs for all media, and verify tracking details are documented.

Guidance

Media may be lost or stolen if sent via a non-trackable method such as regular postal mail. Use of secure couriers to deliver any media that contains cardholder data allows organizations to use their tracking systems to maintain inventory and location of shipments.

• 9.6
• 9.6.1
• 9.6.2
• 9.6.3

Requirement 9.6.3

Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).

Testing Procedure

9.6.3
Select a recent sample of several days of offsite tracking logs for all media. From examination of the logs and interviews with responsible personnel, verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).

Guidance

Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.

• 9.7
• 9.7.1

Requirement 9.7

Maintain strict control over the storage and accessibility of media.

Testing Procedure

9.7
Obtain and examine the policy for controlling storage and maintenance of all media and verify that the policy requires periodic media inventories.

Guidance for 9.7 and 9.7.1

Without careful inventory methods and storage controls, stolen or missing media could go unnoticed for an indefinite amount of time. If media is not inventoried, stolen or lost media may not be noticed for a long time or at all.

• 9.7
• 9.7.1

Requirement 9.7.1

Properly maintain inventory logs of all media and conduct media inventories at least annually.

Testing Procedure

9.7.1
Review media inventory logs to verify that logs are maintained and media inventories are performed at least annually.

Guidance for 9.7 and 9.7.1

Without careful inventory methods and storage controls, stolen or missing media could go unnoticed for an indefinite amount of time. If media is not inventoried, stolen or lost media may not be noticed for a long time or at all.

• 9.8
• 9.8.1
• 9.8.2

Requirement 9.8

Destroy media when it is no longer needed for business or legal reasons as follows:

Testing Procedure

9.8
Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:

• Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
• Storage containers used for materials that are to be destroyed must be secured.
• Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).

Guidance for 9.8 through 9.8.2

If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal, malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for information they can use to launch an attack.

Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected. For example, “to-be-shredded” containers could have a lock preventing access to its contents or physic ally prevent access to the inside of the container.

Examples of methods for securely destroying electronic media include secure wiping, degaussing, or physical destruction (such as grinding or shredding hard disks).

• 9.8
• 9.8.1
• 9.8.2

Requirement 9.8.1

Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.

Testing Procedure

9.8.1.a
Interview personnel and examine procedures to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.

9.8.1.b
Examine storage containers used for materials that contain information to be destroyed to verify that the containers are secured.

Guidance for 9.8 through 9.8.2

If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal, malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for information they can use to launch an attack.

Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected. For example, “to-be-shredded” containers could have a lock preventing access to its contents or physic ally prevent access to the inside of the container.

Examples of methods for securely destroying electronic media include secure wiping, degaussing, or physical destruction (such as grinding or shredding hard disks).

• 9.8
• 9.8.1
• 9.8.2

Requirement 9.8.2

Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

Testing Procedure

9.8.2
Verify that cardholder data on electronic media is rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).

Guidance for 9.8 through 9.8.2

If steps are not taken to destroy information contained on hard disks, portable drives, CD/DVDs, or paper prior to disposal, malicious individuals may be able to retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for information they can use to launch an attack.

Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected. For example, “to-be-shredded” containers could have a lock preventing access to its contents or physic ally prevent access to the inside of the container.

Examples of methods for securely destroying electronic media include secure wiping, degaussing, or physical destruction (such as grinding or shredding hard disks).

• 9.9
• 9.9.1
• 9.9.2
• 9.9.3

Requirement 9.9

Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Note: These requirements apply to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.

Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.

Testing Procedure

9.9
Examine documented policies and procedures to verify they include:

• Maintaining a list of devices
• Periodically inspecting devices to look for tampering or substitution
• Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices.

Guidance

Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add “skimming” components to the outside of devices, which are designed to capture payment card details before they even enter the device—for example, by attaching an additional card reader on top of the legitimate card reader so that the payment card details are captured twice: once by the criminal’s component and then by the device’s legitimate component. In this way, transactions may still be completed without interruption while the criminal is “skimming” the payment card information during the process.

This requirement is recommended, but not required, for manual key-entry components such as computer keyboards and POS keypads.

Additional best practices on skimming prevention are available on the PCI SSC website.

• 9.9
• 9.9.1
• 9.9.2
• 9.9.3

Requirement 9.9.1

Maintain an up-to-date list of devices. The list should include the following:

• Make, model of device
• Location of device (for example, the address of the site or facility where the device is located)
• Device serial number or other method of unique identification.

Testing Procedure

9.9.1.a
Examine the list of devices to verify it includes:

• Make, model of device
• Location of device (for example, the address of the site or facility where the device is located)
• Device serial number or other method of unique identification.

9.9.1.b
Select a sample of devices from the list and observe devices and device locations to verify that the list is accurate and up to date.

9.9.1.c
Interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned, etc.

Guidance

Keeping an up-to-date list of devices helps an organization keep track of where devices are supposed to be, and quickly identify if a device is missing or lost.

The method for maintaining a list of devices may be automated (for example, a device-management system) or manual (for example, documented in electronic or paper records). For on-the-road devices, the location may include the name of the personnel to whom the device is assigned.

• 9.9
• 9.9.1
• 9.9.2
• 9.9.3

Requirement 9.9.2

Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

Testing Procedure

9.9.2.a
Examine documented procedures to verify processes are defined to include the following:

• Procedures for inspecting devices
• Frequency of inspections.

9.9.2.b
Interview responsible personnel and observe inspection processes to verify:

• Personnel are aware of procedures for inspecting devices.
• All devices are periodically inspected for evidence of tampering and substitution.

Guidance

Regular inspections of devices will help organizations to more quickly detect tampering or replacement of a device, and thereby minimize the potential impact of using fraudulent devices.

The type of inspection will depend on the device—for example, photographs of devices that are known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also be able to provide security guidance and “how to” guides to help determine whether the device has been tampered with.

The frequency of inspections will depend on factors such as location of device and whether the device is attended or unattended. For example, devices left in public areas without supervision by the organization’s personnel may have more frequent inspections than devices that are kept in secure areas or are supervised when they are accessible to the public. The type and frequency of inspections is determined by the merchant, as defined by their annual risk-assessment process.

• 9.9
• 9.9.1
• 9.9.2
• 9.9.3

Requirement 9.9.3

Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:

• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

Testing Procedure

9.9.3.a
Review training materials for personnel at point-of-sale locations to verify they include training in the following:

• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices
• Not to install, replace, or return devices without verification
• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

9.9.3.b
Interview a sample of personnel at point-of-sale locations to verify they have received training and are aware of the procedures for the following:

• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices
• Not to install, replace, or return devices without verification
• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

Guidance

Criminals will often pose as authorized maintenance personnel in order to gain access to POS devices. All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POS maintenance company (such as the vendor or acquirer) for verification. Many criminals will try to fool personnel by dressing for the part (for example, carrying toolboxes and dressed in work wear), and could also be knowledgeable about locations of devices, so it’s important personnel are trained to follow procedures at all times.

Another trick criminals like to use is to send a “new” POS system with instructions for swapping it with a legitimate system and “returning” the legitimate system to a specified address. The criminals may even provide return postage as they are very keen to get their hands on these devices. Personnel always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business.

• 9.10

Requirement 9.10

Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.

Testing Procedure

9.10
Examine documentation and interview personnel to verify that security policies and operational procedures for restricting physical access to cardholder data are:

• Documented,
• In use, and
• Known to all affected parties.

Guidance

Personnel need to be aware of and following security policies and operational procedures for restricting physical access to cardholder data and CDE systems on a continuous basis.

Goal: Implement Strong Access Control Measures

Requirement 9.0

Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.