Physical security

PCI Physical Security: How To Comply

The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to physically secure cardholder data enviro

4 min reading time

PCI Physical Security: How To Comply

Updated on December 01, 2022

Written by Bernhard Mehl

Share this article

The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to physically secure cardholder data environments (CDE). There have been millions of cases of compromised credit card information all across the world. Thus, these security standards are very important.

A situation like this is a huge inconvenience for the customer, as well as the financial institution responsible. Taking steps to protect financial information is critical. Hence, we introduce the ultimate quick-read compliance guide - PCIPhysical Security: How To Comply.

Below we list the 12 requirements for PCI Physical Security, with an easy breakdown for how to comply.

Requirements And How To Comply #

1. Implement and maintain a firewall to safeguard cardholder data. #

Ensure that there is a secure zone for the storage of card data and put firewalls in place to ensure that there is only necessary traffic entering your CDE.

2. Create custom passwords #

Make sure you create strong, custom passwords and other unique security measures instead of using the default settings for your systems.

3. Safeguard all cardholder information #

Make sure that you document a data retention policy, along with double-checking that your employees are aware of, and trained to, understand the policy.

It is also a good idea to have as few employees as possible with authorized access to your primary account number database.

4. Encrypt cardholder data #

It’s essential to verify that encryption certificates, as well as keys, are reliable and can be trusted. Prohibit the use of wireless encryption standards that are not secure.

5. Implement and actively update anti-virus software #

It’s critical to set automatic scans to detect malicious software regularly. Maintaining audit logs and documenting malware procedures is important for review and system evaluation.

For this security measure, it is also important to set up administrative access to your anti-virus so that users can’t disable it.

6. Create secure systems and applications. #

To create, and sustain, a secure system, you need to keep up with security updates and patches for components as soon as they come out.

7. Limit cardholder access #

Access control is very important. It is important to implement an access control system on any system where you store or handle cardholder data.

You also need to train your employees according to the level of access they have.

The Role of Physical Access Control for IT

Learn about future-proof access control with Kisi

8. Unique identifiers for users with access to cardholder data #

Implement multi-factor authentication for remote access accounts and monitor their use. These accounts include those used by vendors, IT personnel, business partners, etc.

9. Restrict physical access to cardholder data #

One area to secure includes any accessible network jacks within your facility. You also need to keep physical media secure. This can be done with access control systems that work with user authorization.

10. Log and report network resources #

Have a process in place that allows you to respond to any exceptions, or anomalies, in logs. In addition, hold your audit logs for at least a year.

11. Run regular tests for security systems and processes #

Running frequent tests on your security systems is a good way to ensure they are functioning correctly and are up to date. You should also run external vulnerability scans with a qualified vendor quarterly.

12. Create a business policy regarding information security #

Ensure that you develop written security and compliance policies. Having an incident response plan is also important in the event that any compromises of cardholder information occur. In addition, you should keep an up-to-date list of third-party service providers.

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

Save time. Enhance security.

Modernize your access control with remote management and useful integrations.

Related articles