9 — Restrict Physical Access to Cardholder Data
18 requirements in the Restrict Physical Access to Cardholder Data requirement
9.1.1All security policies and operational procedures that are identified in Requirement 9 are: Documented.
9.1.2Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.
9.2.1Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.
9.2.2Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.
9.2.3Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.
9.2.4Access to consoles in sensitive areas is restricted via locking when not in use.
9.3.1Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including: Identifying personnel.
9.3.2Procedures are implemented for authorizing and managing visitor access to the CDE, including: Visitors are authorized before entering.
9.3.3Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.
9.3.4Visitor logs are used to maintain a physical record of visitor activity both within the facility and within sensitive areas, including: The visitor’s name and the organization represented.
9.4.1All media with cardholder data is physically secured.
9.4.2All media with cardholder data is classified in accordance with the sensitivity of the data.
9.4.3Media with cardholder data sent outside the facility is secured as follows: Media sent outside the facility is logged.
9.4.4Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).
9.4.5Inventory logs of all electronic media with cardholder data are maintained.
9.4.6Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows: Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
9.4.7Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following: The electronic media is destroyed.
9.5.1POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: Maintaining a list of POI devices.