PCI Physical Security: How To Comply

By Bernhard Mehl
June 02, 2020

The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to physically secure cardholder data environments (CDE). There have been millions of cases of compromised credit card information all across the world. Thus, these security standards are very important. 

A situation like this is a huge inconvenience for the customer, as well as the financial institution responsible. Taking steps to protect financial information is critical. Hence, we introduce the ultimate quick-read compliance guide - PCIPhysical Security: How To Comply. 

Below we list the 12 requirements for PCI Physical Security, with an easy breakdown for how to comply. 

Requirements And How To Comply

1. Implement and maintain a firewall to safeguard cardholder data.

Ensure that there is a secure zone for the storage of card data and put firewalls in place to ensure that there is only necessary traffic entering your CDE. 

2. Create custom passwords 

Make sure you create strong, custom passwords and other unique security measures instead of using the default settings for your systems.

3. Safeguard all cardholder information

Make sure that you document a data retention policy, along with double-checking that your employees are aware of, and trained to, understand the policy. 

It is also a good idea to have as few employees as possible with authorized access to your primary account number database.

4. Encrypt cardholder data

It’s essential to verify that encryption certificates, as well as keys, are reliable and can be trusted. Prohibit the use of wireless encryption standards that are not secure. 

5. Implement and actively update anti-virus software

It’s critical to set automatic scans to detect malicious software regularly. Maintaining audit logs and documenting malware procedures is important for review and system evaluation. 

For this security measure, it is also important to set up administrative access to your anti-virus so that users can’t disable it. 

6. Create secure systems and applications.

To create, and sustain, a secure system, you need to keep up with security updates and patches for components as soon as they come out. 

7. Limit cardholder access

Access control is very important. It is important to implement an access control system on any system where you store or handle cardholder data.

You also need to train your employees according to the level of access they have. 

5dc98ee11ece9b0e27d40040
template-1
container

8. Unique identifiers for users with access to cardholder data

Implement multi-factor authentication for remote access accounts and monitor their use. These accounts include those used by vendors, IT personnel, business partners, etc. 

9. Restrict physical access to cardholder data

One area to secure includes any accessible network jacks within your facility. You also need to keep physical media secure. This can be done with access control systems that work with user authorization. 

10. Log and report network resources

Have a process in place that allows you to respond to any exceptions, or anomalies, in logs. In addition, hold your audit logs for at least a year. 

11. Run regular tests for security systems and processes

Running frequent tests on your security systems is a good way to ensure they are functioning correctly and are up to date. You should also run external vulnerability scans with a qualified vendor quarterly. 

12. Create a business policy regarding information security

Ensure that you develop written security and compliance policies. Having an incident response plan is also important in the event that any compromises of cardholder information occur. In addition, you should keep an up-to-date list of third-party service providers.

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.