The physical security requirements of the PCI DSS are by far the easiest to meet to the letter, but even these cause an inordinate amount of pain. This pain is rarely caused by the requirements themselves, but by the interpretation of them.
For example, if you were in-scope for the physical aspects, and I was to ask you if you HAD to have cameras to achieve PCI compliance, what would you say?
I you said something like “Not necessarily.”, “That depends.” or even a simple “No.”, you are correct. And if you don’t agree with that, just read the DSS;
“9.1.1 Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas.”
I’ve used the word ‘intent’ many times in my blogs about PCI, because the intent of a requirement is always more important than the words written. Unfortunately, a lot of my clients, or even their QSAs, don’t even read the words, let alone interpret the language into something the business side can understand.
The intent of the physical requirements is that you restrict access to only those who need it, and that you keep record of who was where, when. That’s it, and if THIS is too much, you have more problems than PCI.
Above and beyond is very simple, but there are too many options to go into here. Decide via your risk assessment process what is appropriate, get the relevant guidance if you don’t have it in-house and stick with that.
For back-ups, this is just as simple, and the requirements are written down for you. However, there are some gotchas that I will address here;
1. “9.6.1 Classify media so the sensitivity of the data can be determined.” does NOT mean that you have to LABEL the media AS sensitive, it just means that you have to have a way of distinguishing the media that may contain sensitive data so that you can protect it accordingly.
2. If you do have physical media that contains cardholder data, the decryption keys are not included, and the offsite facility has no means to GET access to the decrypt function, this media can be reasonably classified as out-of-scope for the same reasons P2PE is a de-scoping option for retail.
3. Far more prevalent these days is some form of network access storage (NAS) where the data is ‘striped’ across many disks. From my perspective, because the theft of any one (or even several) disks does not constitute the theft of reconstitutable cardholder data, only the management station used to control the access to the data and NAS functions is relevant. Here all PCI controls relevant to a server would apply.
4. You must make sure you have a well defined Data Classification Policy or the data retention and destruction requirements have no context, and cannot be properly validated. You will probably end with a ton of data you don’t need and your overall risk will steadily increase over time.
5. Go back over all of your business processes that could have ever resulted in the retention of cardholder data and deal with the resulting media accordingly. This includes paper.
Finally, the new-to-v3.0 requirements for the protection of “devices that capture payment card data” (DSS Reqs. 9.9.X). Bottom line; if you don’t have this stuff in place already, I can’t help you, and you may want to consider alternate employment options.
Not much more to say here, but I don’t want to underplay this too much and make the mistake of the curse of knowledge. knowing where your sensitive data is in ALL it’s forms is critical, and both your physical access to it, and the protection / destruction of it, are extremely important concepts.