Back to Dashboard
Req 9: Restrict Physical Access to Cardholder Data
Secure physical locations containing sensitive data.
Responsibility
Shared
Compliance Status
Compliant
100%Overview
Physical access to systems or stored data can lead to compromise. This requirement focuses on implementing controls to restrict physical access to facilities and media where cardholder data is located.
Key Actions for Compliance
A non-exhaustive list of actions your organization should take to meet this requirement.
- Use appropriate facility entry controls to monitor and control physical access to sensitive areas.
- Maintain a visitor log and issue badges to all visitors.
- Store media backups in a secure location, preferably off-site.
- Destroy media when it is no longer needed for business or legal reasons.
Testing Procedures (Simplified)
How auditors may verify that this requirement is met.
- Inspect physical security controls, such as cameras, locks, and entry control systems.
- Review visitor logs to ensure they are complete and reviewed.
- Examine procedures for storing and destroying media.