Main menu
You are here
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.
| Section | PCI Requirement | Comments | Responsibilities on Artsman Cloud |
| 9.1 | Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. | This means locks on a computer room door or places (like box office) where people can access machines that can access card holder data. |
Artsman: cloud
Customer: workstation |
| 9.1.1 | Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: "Sensitive areas" refers to any data center, server room or any area trefers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store. |
Artsman: cloud - SOC 2 compliant data centres | |
| 9.1.2 | Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks. |
Artsman: cloud - SOC 2 compliant data centres
Customer: internal network |
|
| 9.1.3 | Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines. |
Artsman: cloud - SOC 2 compliant data centres
Customer: internal network |
|
| 9.2 | Develop procedures to easily distinguish between onsite personnel and visitors, to include:
|
Artsman: cloud - SOC 2 compliant data centres
Customer: internal network |
|
| 9.3 | Control physical access for onsite personnel to sensitive areas as follows:
|
Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures |
|
| 9.4 | Implement procedures to identify and authorize visitors.
Procedures should include the following: |
Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures |
|
| 9.4.1 | Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. | ||
| 9.4.2 | Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. | ||
| 9.4.3 | Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. | ||
| 9.4.4 | A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.
Document the visitor's name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. |
||
| 9.5 | Physically secure all media |
Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures |
|
| 9.5.1 | Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location's security at least annually. | Artsman: cloud - SOC 2 compliant data centres | |
| 9.6 | Maintain strict control over the internal or external distribution of any kind of media, including the following: |
Artsman: cloud - SOC 2 compliant data centres
Customer: internal procedures |
|
| 9.6.1 | Classify media so the sensitivity of the data can be determined. | ||
| 9.6.2 | Send the media by secured courier or other delivery method that can be accurately tracked. | ||
| 9.6.3 | Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). | ||
| 9.7 | Maintain strict control over the storage and accessibility of media. | ||
| 9.7.1 | Properly maintain inventory logs of all media and conduct media inventories at least annually. | Artsman: automated backups, recycle and deletion policies | |
| 9.8 | Destroy media when it is no longer needed for business or legal reasons as follows: | ||
| 9.8.1 | Shred, incinerate, or pulp hard- copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. | Artsman: automated secure deletion | |
| 9.8.2 | Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. | There is a tool on windows called Eraser that will handle this for you. On the Mac, use Secure-Empty Trash. Refer to this link for more information about using them. | Artsman: automated secure deletion Customer: should ensure no local cardholder storage in spreadsheets etc |
| 9.9 | Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
Note: These requirements apply to card- reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads. |
This does not apply to Theatre Manager as it does not use card reading devices for card present transactions. | Customer: protect any pin pad devices accordingly |
| 9.9.1 | Maintain an up-to-date list of devices. The list should include the following:
|
For point of sale devices | Customer: wokstation inventory |
| 9.9.2 | Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings. |
For point of sale devices | Customer: wokstations and /or pinpad |
| 9.9.3 | Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
|
For point of sale devices | Customer: wokstations and/or pinpad |
| 9.10 | Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. |
Artsman: Cloud
Customer: wokstations and devices |