PCI Resources
A structured approach to the PCI standards

PCI DSS Requirement 9

This requirement is generally the best understood one in all of PCI DSS. This requirement applies to all sensitive areas where CHD is transmitted, stored or processed on paper and electronic format. Sensitive areas include data centers, server rooms, call centers, network equipment locations (network jacks, wireless access points, etc.) etc., but do not include public-facing areas (e.g. cashier in store).

All of those sensitive areas require entry controls (e.g. keys, electronic badges) to limit and monitor access physical based on job function.

Procedures must be put in place to identify, authorize, register, accompany visitors to all the of those sensitive areas.

This requirement also covers physical security over media containing CHD and which can include, but is not limited to, physical media such as paper, as well as electronic media such as CDs/DVDs, hard drives, USB keys, and tape backups. This does not mean that a label must be placed on the media identifying "this media has valuable data", but to allow the organization to apply adequate controls.

This requires knowing on which media CHD information lies (called "labelling") in order to maintain strict control over all media by managing inventories and controlling media distribution. Finally, media, like any data identified in requirement 3.1, should be destroyed when no longer required for business or legal reasons.

Requirements 9.9.* are newer requirements introduced in PCI DSS 3.0. These requirements apply to card-present transactions, that is when a user presents a physical payment card to a device of some kind (Points-of-sale, kiosks, ATMs, etc.). Those devices must be protected from tampering and substitution (9.9). Payment card skimmers have a long history, especially in more automated places such as ATMs, gas payments, isolated kiosks. Brian Krebs has documented very interesting examples on his blog.

Further Readings