Part 9: Road Map to PCI

Physical security is an important aspect of any organization and one that its leaders must take into consideration when developing their business practices.  Not every organization is well versed in implementing physical access and security measures to adequately protect against potential threats.  For this reason the PCI Council created “Requirement 9” of PCI DSS: Restrict Physical Access to Cardholder Data.

Requirement 9 has been incorporated into all PCI Questionnaires which speaks to the importance the PCI Council is placing on this requirement, regardless of how card data may be handled.

There is Good News

Thankfully, many of the security standards within Requirement 9 are business practices that nearly everyone is familiar with and already associate with storing/handling sensitive or private information. Requirement 9 seeks to establish control procedures such as limiting who has access to stored card data and maintaining a “checkout list” for when that data is accessed.  It continues by detailing the proper disposal procedures such as cross cut shredding the data when no longer needed.

Requirement 9 Pitfalls

If Requirement 9 is a struggle, more often than not it is due to the wording of the questionnaire uses to reference physical copies of card holder data.  The standardized language of the questionnaire refers to this as “Media.”  When completing your questionnaire it is important to understand that “Media” refers to any physical item containing full card data, such as computers, removable electronic media, paper receipts, paper reports, faxes etc.

Another common pitfall when working through Requirement 9,  is answering a question with “No” when in fact, “N/A” should have been your response.  For example if this standard does not apply due to an organization not storing card data in this format, they would want to answer with, “N/A.”  If “N/A” is not an option, they would want to answer with, “Yes” indicating that they are in fact willing to follow the standard if/when it should apply.

Implement Strong Access Control Measures

Ultimately Requirement 9 is a simpler, less technical requirement to meet than many of the others.  And the good news is with a little planning and examination of your operating procedures this requirement can be met or the scope of this requirement can be easily reduced.

This article rounds-out our coverage of the fourth area of the PCI Data Security Standards.  To summarize they are as follows:

Up next, we move into fifth area of focus of the PCI Data Security Standards and take a look at the first of the two requirements of “Regularly Monitor & Test Networks.”

If you have any questions about PCI that you would like to see covered, let us know! You can email us at to share your thoughts or questions which we may then address here on our blog!