In the ever-evolving landscape of data security, staying updated with the latest standards and regulations is crucial. The Payment Card Industry Data Security Standard (PCI DSS) is no exception. With the recent release of PCI DSS v4.0, there have been significant updates and changes that organizations need to be aware of.
This blog post will delve into one such critical area – Requirement 9: Restrict Physical Access to Cardholder Data. This requirement has undergone notable changes from v3.2.1 to v4.0.
We will explore these changes in detail, helping you understand the processes and mechanisms for restricting physical access to cardholder data, how physical access controls manage entry into facilities and systems containing cardholder data, and how physical access for personnel and visitors is authorized and managed.
Whether you’re a business owner, a security professional, or just someone interested in data security, this blog post will provide you with valuable insights into the latest updates in PCI DSS Requirement 9. So, let’s dive in and navigate the changes together. check out our comprehensive guide on the “12 requirements of PCI DSS.”
Changes in Requirement 9 of PCI DSS v3.2.1 to PCI DSS v4.0:
| Requirement | V.3.2.1(9.1) | V4.0(9.2.4) | Changes |
|---|---|---|---|
| Scope | Emphasizes securing the entire physical environment (data centers, etc.) where systems handling cardholder data reside. | Specifically targets consoles within sensitive areas. | Focus is narrowed for targeted hardening. |
| Security Measure | Lists various controls (badge readers, locks, etc.). Suggests "locking" to prevent unauthorized console use. | Makes "locking" consoles when unattended mandatory. | Elevates a recommended practice to an explicit requirement. |
| Suggests observing login attempts on random systems as a check. | Specifically requires observing attempted logins to verify consoles are locked in sensitive areas. | Focused testing, still verifying core protection. |
PCI DSS v4.0 narrows its target to restrict direct console access in sensitive areas, makes locking unattended consoles an explicit requirement, and adjusts testing to verify this specific locking.
| Requirement | v3.2.1 (9.2) | v4.0 (9.3.1 & 9.3.2) | Changes |
|---|---|---|---|
| Scope | Identifying and distinguishing between staff and visitors. | Expands to cover all physical access authorizations to the Cardholder Data Environment (CDE), including staff changes and terminations. | More comprehensive access management focus. |
| Visitor Emphasis | Mentions visitors within a broader staff identification process | Dedicates an entire sub-requirement (9.3.2) specifically to visitor access procedures. | Reflects the higher risk visitors can pose. |
| Specific Visitor Rules | None | v4.0 mandates rules for visitors: pre-authorization, constant escort, expiring ID badges that are visually distinct from staff. | Adds mandatory controls for visitor management. |
PCI DSS v4.0 expands physical access requirements, shifting focus to managing all CDE access permissions, introducing explicit visitor controls, and structuring physical access into distinct sub-requirements.
| Requirement | v3.2.1 (9.4, 9.4.1 & 9.4.2) | v4.0 (9.3.2) | Changes |
|---|---|---|---|
| Scope | Addresses specifically visitor access and authorization. | Part of a broader sub-requirement (9.3) covering all physical access management to the CDE. | Reflects increased emphasis on comprehensive access control. |
| Core Principles | Authorization, escorting, identification (badges), badge expiration, distinction from staff. | Identical core principles | No Changes. |
| Terminology | Focuses on areas "where cardholder data is processed or maintained". Focuses on observing visitor controls within areas handling cardholder data. Specific checks about use of visitor badges in the cardholder data environment. | Uses broader CDE (Cardholder Data Environment) terminology. Broadened to observe and interview for CDE-wide visitor management procedures. Same principle but adapted to check procedures across the CDE. | Terminology updates consistent with other v4.0 changes. Expanded scope for testing. Increased scope. |
PCI DSS v4.0 retains core visitor access requirements. Changes include distinct placement within CDE access controls and a broadened scope for consistent practice across the entire Cardholder Data Environment.
| Requirement | v3.2.1 (9.5 & 9.5.1) | v4.0 (9.4.1, 9.4.1.1 & 9.4.1.2) | Changes |
|---|---|---|---|
| Scope | Broadly focuses on physically securing "all media" containing cardholder data. | Explicitly targets "media with cardholder data." | Focus on protecting sensitive data, even on mixed-use media. |
| Backup Emphasis | Calls out securing backup media locations, with an annual review. | Backups become a sub-point (9.4.1.1), with security and review requirements still intact. | Reflects importance of securing backups within the broader media security plan. |
| Terminology | General focus on "physical security" throughout. | No changes. | Remains unchanged. |
| Testing Procedures | Suggests verifying protection procedures include media and reviewing backup location security. | Streamlined approach: document review to see if procedures exist, plus an interview check on backup site security. | Focused testing procedures. |
PCI DSS v4.0 maintains physical security principles for cardholder data. Changes include a data-centric focus, structured backup security, and clear testing guidance for media storage security.
| Requirement | v3.2.1 (9.6, 9.6.1, 9.6.2 & 9.6.3) | v4.0 (9.4.2, 9.4.3 & 9.4.4) | Changes |
|---|---|---|---|
| Data Classification | Requires classifying media based on the sensitivity of data stored on it. | Identical requirement. | No changes. |
| Shipping Security | Media must be sent via a trackable method (e.g., secure courier). | Adds the explicit requirement for detailed offsite tracking logs that include the current location of the media. | Greater traceability requirement. |
| Management Approval | Management must approve media leaving secured areas. | Same requirement. | No changes. |
| Testing Procedures | Focused on sample reviews of logs and interviews to verify the process is followed. | Emphasizes that formal, documented procedures must exist alongside checks to ensure they are followed. | Focus on clear processes. |
PCI DSS v4.0 enhances media distribution security with precise tracking for accountability and mandates clear, formal procedures.
| Requirement | v3.2.1 (9.7) | v4.0 (9.4.5) | Changes |
|---|---|---|---|
| Focus | Storage/accessibility controls for "all media" | Explicitly targets "electronic media" with cardholder data | More targeted scope. |
| Media Inventory | Requires periodic inventories of all media | Inventory specifically for electronic media with cardholder data | Focus on where the highest risk data resides. |
| Inventory Frequency | Must be conducted at least annually | Must be conducted at least every 12 months | No change. |
| Testing Procedures | Policy review + check if inventories happen periodically | Emphasizes procedures: 1) Do they exist? 2) Logs show they're followed | Focus on formal processes and documented evidence. |
PCI DSS v4.0 refines media inventory control, emphasizing electronic storage tracking and verification of inventory management procedures.
| Requirement | v3.2.1 (9.8) | v4.0 (9.4.6 & 9.4.7) | Changes |
|---|---|---|---|
| Scope | Covers destruction of "all media" when no longer needed. | Spilt into specific requirements: 9.4.6 for hard-copy materials, 9.4.7 for electronic media. | Greater clarity and distinction in handling physical and electronic media. |
| Hard-Copy Methods | Crosscut shredding, incineration, pulping. | Identical methods. | No Changes. |
| Electronic Destruction | Must render data unrecoverable (secure wipe or physical destruction). | Offers the option of destroying the media itself or rendering data unrecoverable. | Increased flexibility. |
| Storage pre-Destruction | Requires securing old media containers awaiting destruction. | Applies that same principle to both hard-copy and electronic media. | Consistent, comprehensive approach. |
| Testing (General) | Policy review. Emphasizes checking if the approved methods are practiced. | Emphasizes the existence of documented procedures alongside practical verification. | Focus on verifiable processes. |
PCI DSS v4.0 enhances media destruction by providing clear rules for hard-copy and electronic destruction, allowing secure data sanitization, mandating secure pre-destruction storage, and emphasizing documented, verifiable destruction methods.
| Requirement | v3.2.1 (9.9) | v4.0 (9.5.1) | Changes |
|---|---|---|---|
| Terminology | Focuses on "devices that capture payment card data" at the point of sale (POS terminals). | Uses broader term "POI devices", potentially encompassing a wider range of card-reading technologies. | Reflects evolving payment technology. |
| Security Measures | Lists required practices: Maintained device list, periodic inspections, staff training for awareness. | Identically required security practices. | No changes. |
| Testing Procedures | Review policies/procedures to verify practices are described. | Emphasizes the existence of formal, documented "processes", ensuring a consistent approach. | Focus on documented, organized security methods. |
PCI DSS v4.0 retains core physical security for POI devices, updates terminology to ‘POI devices’, and underscores the importance of formal, documented security processes.
New Requirement in PCI DSS v4.0:
Requirement 9.1.2:
Physical security requires organized roles and responsibilities. (This requirement is a best practice until 31 March 2025.)
- This means having written job descriptions, assigning specific tasks to individuals, and ensuring they understand their duties.
- Auditors check for clear documentation and task understanding.
- This ensures accountability, prevents gaps in security, and provides proof of compliance.
Requirement 9.5.1.2.1:
To define the frequency of periodic POI device inspections based on the entity’s targeted risk analysis. (This requirement is a best practice until 31 March 2025.)
- POI (Point of Interaction) devices are used for card payments.
- Regular inspections for tampering or fraud are essential.
- The inspection frequency and type depend on your business risk level.
- A ‘targeted risk analysis’ guides your inspection approach.
- Auditors check your risk analysis and adherence to the plan.
- POI device security is vital for PCI DSS compliance and customer trust.
- The new requirement emphasizes a customized approach based on a ‘targeted risk analysis’.
Conclusion:
The modifications in PCI DSS v4.0’s Requirement 9 make proactive physical security management more crucial than ever. Now is the time for organizations to re-evaluate their physical security strategies, conduct updated risk assessments, and refine their protection processes to align with these enhanced standards.
By doing so, you’ll not only secure the cardholder data entrusted to you but also further cement your organization’s reputation as a safe and trustworthy place to do business.
Also Read:- PCI DSS Requirement 8
Lets us help you
Need help navigating PCI DSS v4.0? We have been active in the PCI DSS space since 2008 and even certify payment brand. Our PCI DSS services provide assurance on card security controls, with offerings for both product platform and backend services attestation.
We have a dedicated team of auditors and a separate team for consulting/advisory assignments to even help our esteemed clients to define processes and achieve compliance.
We have completed multiple PCI DSS 4.0 certifications too right from scoping to Readiness Assessment, Advisory and Final Certification.
We are vendor neutral and have a strict no-outsourcing policy. We can also assist you with the technical assessments needed for PCI DSS Compliance – Vulnerability Assessment, Penetration Testing, Network Segmentation Testing, Network Architecture Review, Firewall Assessment, Secure Configuration Assessment, Web and Mobile Application Security Assessment, and Secure Code Review.
