PCI DSS 4.0.1
Browse PCI DSS 4.0.1
9.1 9.2 9.3 9.4 9.5
9.3: 1. Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including: (a) Identifying personnel, (b) Managing changes to an individual’s physical access requirements, (c) Revoking or terminating personnel identification, (d) Limiting access to the identification process or system to authorized personnel.
  • Examine documented procedures to verify that procedures to authorize and manage physical access of personnel to the CDE are defined in accordance with all elements specified in this requirement.
  • Observe identification methods, such as ID badges, and processes to verify that personnel in the CDE are clearly identified.
  • Observe processes to verify that access to the identification process, such as a badge system, is limited to authorized personnel.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Establishing procedures for granting, managing, and removing access when it is no longer needed ensures non-authorized individuals are prevented from gaining access to areas containing cardholder data. In addition, it is important to limit access to the actual badging system and badging materials to prevent unauthorized personnel from making their own badges and/or setting up their own access rules.

Good Practice

It is important to visually identify the personnel that are physically present, and whether the individual is a visitor or an employee.

Definitions

Refer to Appendix G for the definition of “personnel.”

Examples

One way to identify personnel is to assign them badges.

9.3: 1.1. Physical access to sensitive areas within the CDE for personnel is controlled as follows: (a) Access is authorized and based on individual job function, (b) Access is revoked immediately upon termination, (c) All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination.
  • Observe personnel in sensitive areas within the CDE, interview responsible personnel, and examine physical access control lists to verify that:
  • • Access to the sensitive area is authorized.
  • • Access is required for the individual’s job function.
  • Observe processes and interview personnel to verify that access of all personnel is revoked immediately upon termination.
  • For terminated personnel, examine physical access controls lists and interview responsible personnel to verify that all physical access mechanisms (such as keys, access cards, etc.) were returned or disabled.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Controlling physical access to sensitive areas helps ensure that only authorized personnel with a legitimate business need are granted access.

Good Practice

Where possible, organizations should have policies and procedures to ensure that before personnel leaving the organization, all physical access mechanisms are returned, or disabled as soon as possible upon their departure. This will ensure personnel cannot gain physical access to sensitive areas once their employment has ended.

9.3: 2. Procedures are implemented for authorizing and managing visitor access to the CDE, including: (a) Visitors are authorized before entering, (b) Visitors are escorted at all times, (c) Visitors are clearly identified and given a badge or other identification that expires, (d) Visitor badges or other identification visibly distinguishes visitors from personnel.
  • Examine documented procedures and interview personnel to verify procedures are defined for authorizing and managing visitor access to the CDE in accordance with all elements specified in this requirement.
  • Observe processes when visitors are present in the CDE and interview personnel to verify that visitors are:
  • • Authorized before entering the CDE.
  • • Escorted at all times within the CDE.
  • Observe the use of visitor badges or other identification to verify that the badge or other identification does not permit unescorted access to the CDE.
  • Observe visitors in the CDE to verify that:
  • • Visitor badges or other identification are being used for all visitors.
  • • Visitor badges or identification easily distinguish visitors from personnel.
  • Examine visitor badges or other identification and observe evidence in the badging system to verify visitor badges or other identification expires.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities and potentially to cardholder data.

Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.

Definitions

Refer to Appendix G for the definition of “visitor.”

9.3: 3. Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.
  • Observe visitors leaving the facility and interview personnel to verify visitor badges or other identification are surrendered or deactivated before visitors leave the facility or at the date of expiration. upon departure or expiration.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Ensuring that visitor badges are returned or deactivated upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.

9.3: 4. Visitor logs are used to maintain a physical record of visitor activity both within the facility and within sensitive areas, including: (a) The visitor’s name and the organization represented, (b) The date and time of the visit, (c) The name of the personnel authorizing physical access, (d) Retaining the log for at least three months, unless otherwise restricted by law.
  • Examine the visitor logs and interview responsible personnel to verify that visitor logs are used to record physical access to both the facility and sensitive areas.
  • Examine the visitor logs and verify that the logs contain:
  • • The visitor’s name and the organization represented.
  • • The personnel authorizing physical access.
  • • Date and time of visit.
  • Examine visitor log storage locations and interview responsible personnel to verify that the log is retained for at least three months, unless otherwise restricted by law.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

A visitor log documenting minimum information about the visitor is easy and inexpensive to maintain. It will assist in identifying historical physical access to a building or room and potential access to cardholder data.

Good Practice

When logging the date and time of visit, including both in and out times is considered a best practice, since it provides helpful tracking information and provides assurance that a visitor has left at the end of the day. It is also good to verify that a visitor’s ID (driver’s license, etc.) matches the name they put on the visitor log.