Blog
PCI Requirement Nine

PCI Requirement Nine

PCI DSS Requirement 9 covers all aspects of physical security. Here are a few tips to make sure your physical security is PCI compliant.

Audit
Auditor Tips
PCI Requirement Nine

Did you know that most theft of equipment containing sensitive data occurs in the middle of the day? Threat actors choose the middle of the day because it’s easier to steal data when staff is too busy to notice someone walking out of the office with a phone, laptop, or even a server.

The truth is that even the most advanced network defenses can be bypassed by theft. 

In one incident, Science Applications International Corporation (SAIC) was breached not through a phishing email or a zero-day exploit, but because an unsecured server rack was stolen by a threat actor who simply walked into an unmonitored back office. The resulting breach of patient data, including payment information, led to millions in fines and remediation costs.

In fact, the theft of physical media accounts for an estimated 30% to 50% of all data breaches.

PCI DSS Requirement 9 covers all aspects of physical security. Here are a few tips to make sure your physical security is PCI compliant.

See also: 5 Tips to Boost Your Business’s Physical Security

Make an Inventory

You can’t protect cardholder data if you don’t know where it is. Start by creating an inventory of all systems that store, process, transmit or can affect the security of cardholder data. List applications running on these systems, including version number, so you can stay on top of known vulnerabilities. Identify the physical locations of these systems and who should have access to them.

Servers, firewalls, workstations and laptops are easy to remember, but keep in mind other items that need to be physically protected, such as:

  • Wireless access points
  • Network jacks
  • Telecommunication lines
  • External hard drives
  • Backups
  • Paper records

An inventory is only as useful as it is accurate. It’s important to update your inventory list as things change, and track movement of equipment and removable media (such as backups) in and out of your environment.

See also: SecurityMetrics PCI Guide

Restrict and Monitor Access to Payment Card Data

Once you know what systems you need to protect, put controls for PCI DSS Requirement 9 in place that restrict access to them, like badge readers and keyed locks. Remember that employee access must be authorized and required for the employee’s job function. When visitors need to enter sensitive areas, make sure they are authorized and always escorted by an employee.

See also: Keep Employees on a Need-to-Know Basis: A Look at PCI Requirement 7

It’s important to have a way to identify employees and visitors and tell them apart, such as badges. You also need a way to monitor and log anyone who accesses a sensitive area, such as video cameras and access logs.

Make sure you have a way to remove access when a visitor’s stay ends or an employee is terminated. Ensure that all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.

Don’t store sensitive information (like payment card data) out in the open. For example, event-planning companies and caterers might use paper forms that contain customers’ credit card information. In these types of businesses, the card is typically charged and the paper order form is destroyed once the event is over.

If your organization collects credit card info in a similar manner, any paper forms should be designed to keep sensitive information separate from the rest of the order info.

Pro Tip: Don't just focus on your front door. The principle of least privilege must apply to physical access just as it does to network access. Too often, every employee, from the CEO to the mailroom clerk, has access to the server room key or badge. This creates unnecessary risk. Access should be granted only to those employees whose job requires them to be near CDE (Cardholder Data Environment) systems.

‍Protect Your POS (Point-Of-Sale) Devices

If your organization has card-reading POS devices used in card-present transactions (e.g. swipe or dip), the PCI DSS includes specific requirements for protecting them:

  1. Maintain an up-to-date list of all devices, including physical location, serial numbers, and make/model.
  2. Periodically inspect devices to ensure they haven’t been tampered with. Make sure serial numbers match, and check that seals haven’t been broken.
  3. Provide training to help staff conduct good device inspections, detect suspicious activity around payment devices, and know what to do when third parties claim they need to work on the system.

The most common physical security threat to POS devices is skimming or device tampering. A classic industry case involves hackers physically placing a tiny, non-invasive overlay—a skimmer—onto the credit card slot of a terminal. These devices capture card data and PINs without the customer or cashier noticing.

Need help combating skimming? Check out SecurityMetrics Shopping Cart Monitor or see a demo here. 

Pro Tip: There are several things you can do to boost your physical security. Consider installing flood lights or motion-activated lights so your employees are easily alerted to an unexpected person on the premises. Don’t underestimate the value of physical keys as a way to restrict access to server rooms. Cameras are excellent for monitoring who accesses what rooms at what time and can be instrumental in identifying threats. 

Destroy Media Containing Payment Card Data Securely

The best way to keep cardholder data secure is not to retain it any longer than is strictly necessary. Create a schedule to review when it’s necessary to securely destroy media containing cardholder data when it is no longer needed.

See also: How to Permanently Delete Files with Sensitive Data

  • Keep doors to secure areas closed and locked
  • Store mobile devices in secure areas when not in use
  • Use screensavers and privacy monitors on computers
  • Install and use blinds in office windows
  • Include physical security in your security awareness program

One study found that nearly 50% of used hard drives sold online still contained sensitive, recoverable data. Simply deleting files or even formatting the drive is not sufficient for PCI compliance. 

Create A Foundational Physical Security Plan

Failing to enact a strong physical security plan is like paying for the highest security technology to protect your house but leaving the front door unlocked. Threat actors are opportunistic, so meeting PCI requirement nine can help your business limit their ability to steal. 

It’s also important to regularly train your employees on physical security and plans for keeping your organization safe. 

Read more about PCI Requirement nine in the latest SecurityMetrics PCI Guide.

Related Posts
No items found.
Join thousands of security professionals.
Subscribe Now
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
CMMC Compliance
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2001–2025 SecurityMetrics, Inc.
All rights reserved.
Privacy Policy
|
Terms and ConditionsAbout us
|
Your IP Address is:
000.000.000.000