Getting PCI Certified

PCI - Security Standards Council
‍PCI - Security Standards Council

PCI Compliance in Access Control

Since any commercial company or organization that deals with the card based payments has to be PCI compliant, this compliance is one of the most fundamental components for legal and secure business in the e-commerce industry.

There are many aspects of PCI compliance to take note of for any company dealing with card payments. These parts deal with the logical data security, data encryption, encrypted storage, data-transfer policy, data-sharing policy, privacy rules and other rules.  

Today’s access control system uses many modern technologies fully integrated with the other parts of security measures of the company. So strict access control rules also apply to companies who want to qualify for PCI access control compliance.

How to Make Physical Access Control PCI Compliant?

Section 7 & 8 of PCI governs the aspect of access control compliance. The physical security compliance policy is based on two important rules – need-to-know and zero trust.

According to section 7 of PCI SSC standard, physical access to card information should be restricted and allowed only those people who really need to access that information. The entire record of access should be managed. Similarly, section 8 clearly mandates the companies to allow ID based access with a complete tracking of record to the credit card information section.

Take the following procedural steps to get PCI physical security compliance status for your company.

  • Determine the components that are governed by PCI SSC rules as listed in PCI guide
  • Sample the subsets of the system component that should be PCI compliant
  • Implement zero trust rule for access control
  • Implement powerful monitoring of access control users, especially privileged users
  • Deploy validation and audit controls and procedures
  • Implement powerful access control automation system for validation and monitoring controls
  • Deploy access control that supports ID based user access
  • Access control should be compatible with existing as well as the future technologies
  • Proper documents should be submitted to the PCI SSC for certification and renewal of PCI physical security compliance

Checklist for PCI Compliance

  • Forward/backward compatible access control system
  • ID based access control
  • Zero-trust based access control policy
  • Robust physical restriction to card information/storage area
  • Formalized access policy
  • “Deny all” policy implemented for data access
Kisi Products
Regain Full Control the Easy Way

Discover what makes Kisi the most advanced cloud access control solution.

Starting a new project?
Download our Physical Security Guide

Get the full guide and other great security content from Kisi. 

Download Guide
Kisi Physical Security Guide