The Role of Physical Access Control for IT
Learn about future-proof access control with Kisi
Physical security
PCI Physical Security: How To Comply
The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to physically secure cardholder data enviro
4 min reading time
Updated on December 01, 2022
Written by Bernhard Mehl
Share this article
The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to physically secure cardholder data environments (CDE). There have been millions of cases of compromised credit card information all across the world. Thus, these security standards are very important.
A situation like this is a huge inconvenience for the customer, as well as the financial institution responsible. Taking steps to protect financial information is critical. Hence, we introduce the ultimate quick-read compliance guide - PCIPhysical Security: How To Comply.
Below we list the 12 requirements for PCI Physical Security, with an easy breakdown for how to comply.
Requirements And How To Comply
1. Implement and maintain a firewall to safeguard cardholder data.
Ensure that there is a secure zone for the storage of card data and put firewalls in place to ensure that there is only necessary traffic entering your CDE.
2. Create custom passwords
Make sure you create strong, custom passwords and other unique security measures instead of using the default settings for your systems.
3. Safeguard all cardholder information
Make sure that you document a data retention policy, along with double-checking that your employees are aware of, and trained to, understand the policy.
It is also a good idea to have as few employees as possible with authorized access to your primary account number database.
4. Encrypt cardholder data
It’s essential to verify that encryption certificates, as well as keys, are reliable and can be trusted. Prohibit the use of wireless encryption standards that are not secure.
5. Implement and actively update anti-virus software
It’s critical to set automatic scans to detect malicious software regularly. Maintaining audit logs and documenting malware procedures is important for review and system evaluation.
For this security measure, it is also important to set up administrative access to your anti-virus so that users can’t disable it.
6. Create secure systems and applications.
To create, and sustain, a secure system, you need to keep up with security updates and patches for components as soon as they come out.
7. Limit cardholder access
Access control is very important. It is important to implement an access control system on any system where you store or handle cardholder data.
You also need to train your employees according to the level of access they have.
8. Unique identifiers for users with access to cardholder data
Implement multi-factor authentication for remote access accounts and monitor their use. These accounts include those used by vendors, IT personnel, business partners, etc.
9. Restrict physical access to cardholder data
One area to secure includes any accessible network jacks within your facility. You also need to keep physical media secure. This can be done with access control systems that work with user authorization.
10. Log and report network resources
Have a process in place that allows you to respond to any exceptions, or anomalies, in logs. In addition, hold your audit logs for at least a year.
11. Run regular tests for security systems and processes
Running frequent tests on your security systems is a good way to ensure they are functioning correctly and are up to date. You should also run external vulnerability scans with a qualified vendor quarterly.
12. Create a business policy regarding information security
Ensure that you develop written security and compliance policies. Having an incident response plan is also important in the event that any compromises of cardholder information occur. In addition, you should keep an up-to-date list of third-party service providers.
Bernhard Mehl
Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.
