1. Home
2. Listings
3. PCI DSS Requirement 9

Category: PCI DSS Requirement 9

Restrict Physical Access to Cardholder Data

It is possible for individuals to access, remove, or access systems or hardcopies containing cardholder data through any physical access to cardholder data or systems that store, process, or transmit cardholder data. Consequently, appropriate restrictions should be placed on physical access.

In Requirement 9, three distinct areas are mentioned:

1. The purpose of requirements that specifically address sensitive areas is to only apply to those areas.
2. The CDE as a whole is intended to be subject to any and all requirements that specifically address the CDE’s sensitive areas.
3. The kinds of controls that can be managed more broadly at the physical boundary of a business premise (such as a building) where CDEs and sensitive areas reside are the subject of requirements that specifically refer to the facility. A guard desk that identifies, badges, and records visitors is one example of these controls, which frequently exist outside of a CDE or sensitive area. The term “facility” is used to indicate that these controls may be present at various locations within a facility, such as the entrance to a building or an internal entrance to an office or data center.