Getting PCI Certified

PCI Security Standards Council
PCI - Security Standards Council

PCI Compliance in Access Control

Since any commercial company or organization that deals with the card based payments has to be PCI compliant, this compliance is one of the most fundamental components for legal and secure business in the e-commerce industry.

There are many aspects of PCI compliance to take note of for any company dealing with card payments. These parts deal with the logical data security, data encryption, encrypted storage, data-transfer policy, data-sharing policy, privacy rules and other rules.  

Today’s access control system uses many modern technologies fully integrated with the other parts of security measures of the company. So strict access control rules also apply to companies who want to qualify for PCI access control compliance.

How to Make Physical Access Control PCI Compliant?

Section 7 & 8 of PCI governs the aspect of access control compliance. The physical security compliance policy is based on two important rules – need-to-know and zero trust.

According to section 7 of PCI SSC standard, physical access to card information should be restricted and allowed only those people who really need to access that information. The entire record of access should be managed. Similarly, section 8 clearly mandates the companies to allow ID based access with a complete tracking of record to the credit card information section.

Take the following procedural steps to get PCI physical security compliance status for your company.

  • Determine the components that are governed by PCI SSC rules as listed in PCI guide
  • Sample the subsets of the system component that should be PCI compliant
  • Implement zero trust rule for access control
  • Implement powerful monitoring of access control users, especially privileged users
  • Deploy validation and audit controls and procedures
  • Implement powerful access control automation system for validation and monitoring controls
  • Deploy access control that supports ID based user access
  • Access control should be compatible with existing as well as the future technologies
  • Proper documents should be submitted to the PCI SSC for certification and renewal of PCI physical security compliance

Checklist for PCI Compliance

  • Forward/backward compatible access control system
  • ID based access control
  • Zero-trust based access control policy
  • Robust physical restriction to card information/storage area
  • Formalized access policy
  • “Deny all” policy implemented for data access

Related articles you might be interested in:

  1. Introduction to Access Control Systems

  2. Best Access Control System Brands for Business

  3. Best Access Control System Technologies

Download the Access Control Guide

Get this full guide in PDF format, plus other great security content from Kisi. We're offering this guide as a free download. You will also be signed up to get content from the Kisi blog.

Download Guide