Welcome to the sixth post of a series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires).
In the previous articles written about PCI, we covered the following:
- Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters.
- Requirement 3 & 4: Secure Cardholder Data
- Requirement 5 & 6: Maintain a Vulnerability Management Program
- Requirement 7 & 8: Implement Strong Access Control Measures
Having recapped this so far, we’re going to focus on the final requirement under the Implement Strong Access Control Measures section. Here we go!
PCI Requirement 9
Restrict physical access to cardholder data
Physical access can refer to:
- systems of payment card data,
- hardcopies of payment card data and other.
Without physical access controls, unauthorized personnel could gain access to sensitive personal information. Beyond that, they could alter existing security configurations, introduce vulnerabilities into your stack, or vandalize equipment.
Maintaining strict controls can help identify individuals who physically access areas storing cardholder data. This is also important for protecting personally identifiable information, especially if you need to comply with the requirements of the General Data Protection Regulation (GDPR).
Here are some key restrictions to continue minimizing risk:
1 – Network Jacks
Restricting access to network jacks will prevent bad actors from plugging into readily available inputs that may allow them into your network.
Consider turning off network jacks while not in use and reactivating them only when needed.
Also, be sure to create private networks for internal use and a public one for visitors to limit exposure to protected information.
2 – Visitors & Unauthorized Personnel
Visitor controls are important to restrict certain areas and ensure they are identifiable as visitors. It makes it easier to spot unusual activity.
This may even include employees who have no reason to approach sensitive access points. For example, the social media manager shouldn’t need access to a storage facility where cardholder data is readily available.
A log that tracks information about the visitor will be useful in the event of a data breach investigation. Keeping a log can help identify which visitors have physical access to a room and who has potential access to cardholder data.
Consider logs at the entry to facilities and especially designated areas where that data resides.
3 – Monitor Cardholder / Personal Data
If a visitor made their way through an authorized sequence of doors within your facility, cardholder data is still susceptible to unauthorized viewing, copying, or scanning if it is unprotected.
It can even be accidental if authorized employees are not well informed. A startling number of businesses have cardholder data on portable media, hard drives, sticky notes, or printed hard copies on someone’s desk. This is especially problematic with orders taken by phone, fax, or email.
Without proper visibility or protection, data can be stolen and used for fraudulent purposes.
It’s important to ensure the data remains hidden/encrypted if not immediately needed.
The development of an approved process for handling sensitive data will help in complying with Requirement 9.6: Maintain strict control over the internal or external distribution of any kind of media.
4 – Physical Removal of Data
9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows:
- 9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
- 9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Steps must be taken to destroy cardholder information contained on electronic devices. Dispose of hard copies via paper shredding. Failure to do so can result in a major data breach, leading to a negative reputation and expensive fines after an investigation.
One thing to consider is “dumpster diving”. This is where bad actors search through trash and recycle bins to search for devices that may contain data. If they happen to find a tossed, unencrypted USB drive that wasn’t wiped prior to disposal or a paper that wasn’t shredded finely enough; the consequences can be major.
Having a process for properly destroying media with cardholder data, including proper storage prior to disposal will help with Requirement 9.8: Destroy media when it is no longer needed for business or legal reasons.
Is Requirement 9 really that straightforward?
Requirement 9 is fairly self-explanatory. We essentially want to restrict access to data and then monitor the access from the point of collection to disposal.
It sounds simple, but the complex nature in which we record all sorts of data (either electronically, via physical media, or physically on paper) requires us to really pay attention to the when, where, who type of questions about data access.
There are many vendors that specialize in data risk assessment if you need third-party help. They would review your existing procedures and policies; as well as assist with ongoing internal threat detection with respect to your data. Make sure that any vendor you speak with will help cover all the requirements mandated within this section of the PCI DSS.
Next, we’ll tackle the next set of requirements that talk on regularly monitoring and testing your network. Stay safe!