Posted on by TBF_Shawn

Intro to PCI version 4: Requirement 9

In PCI requirement 9 is on physical security of data assets.   Protecting the physical aspect of data integrity in your environment and after it potentially leaves your environment as well.

Overall Thoughts

On the surface physical security looks the easiest.  Check IDs so that people pretending to be employees don’t walk in and take your stuff!  If only it was that easy, but that isn’t the entirety of what is ‘physical security’ in the data world.  Digital assets can be modified and/or compromised through ‘physical’ interaction with the media used for storage – which is the other part of the data security equation.  Protecting the physical equipment from actual theft is important, but so is protecting the data on equipment/items that are deemed no longer needed for business purposes.  This is the crux of physical security in the modern data era.

What’s New for Req 9 in v4

There isn’t too much new in requirement 9, from the net-new perspective. The new controls in requirement 9 of v4 are:

  • 9.1.2 – Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.es to the existing controls (surprised?) <- literally cut and paste this line from the post on requirement 8 (which was cut from 7, etc.)
  • 9.5.1.2.1 – A targeted risk analysis is performed to determine frequency of periodic POI device inspections – The entire concept of the Targeted Risk Analysis is new to PCI.  We will cover the details in a later post.

    Changes in 9 v4

    Requirement 9 is following the previous requirements we have discussed by focusing on managerial accountability and awareness, but is also moving in a direction to align things in ways to make it easier to manage and make more sense for internal operations.

    • 9 – Clarification/guidance – In the overview, clarified the three different areas covered in Requirement 9 (sensitive areas, CDE, and facilities). Throughout, clarified whether each requirement applies to the CDE, sensitive areas, or facilities.
    • 9.1 – Now 9.2.4 – Clarification/guidance – Added a requirement to address a former testing procedure bullet to restrict access to consoles in sensitive areas via locking when not in use.
    • 9.2 – 9.3.1/9.3.2 – Structure/format – Split requirement for identifying personnel and visitors into separate requirements, Requirements 9.3.1 and 9.3.2 respectively.
    • 9.4/9.4.1/9.4.2 – Now 9.3.2 – Structure/format – Combined requirements for authorizing and managing visitor access together in Requirement 9.3.2.
    • 9.5/9.5.1 – Now 9.4.1/9.4.1.1/9.4.1.2 – Clarification/guidance – Removed requirement for procedures to physically secure media (9.5) and merged the procedures into the related requirements. Split requirement for storing media backups in a secure location and reviewing the security of the offline backup location at least every 12 months into 2 requirements.
    • 9.6/9.6.1/9.6.2/9.6.3 – Now 9.4.2/9.4.3/9.4.4 – Clarification/guidance – Removed requirement for procedures for internal and external distribution of media (9.6) and merged the procedures into the related requirements.
    • 9.7/9.7.1 – Now 9.4.5/9.4.5.1 – Clarification/guidance – Removed requirement for procedures for strict control over storage and accessibility of media (9.7) and merged the procedures into the related requirements. Split requirement for maintaining media inventory logs and conducting media inventories annually into 2 requirements.
    • 9.8/9.8.1/9.8.2 – Now 9.4.6/9.4.7 – Clarification/guidance – Removed requirement for procedures for media destruction when media is no longer needed (9.8) and merged the procedures into the related requirements. Clarified options for destroying media when no longer needed includes either destruction of electronic media or rendering cardholder data unrecoverable.
    • 9.9 – Now 9.5.1 – Clarification/guidance – Clarified the focus of the requirement is on “Point-of-interaction (POI) devices that capture payment card data via direct physical interaction with the payment card form factor.” Clarified that this requirement applies to deployed POI devices used in card-present transactions.

    Conclusion

    Even though most of the changes in R9 look to be structural, since they are combining controls and moving them around, the council considers them to be ‘clarification’ or additional ‘guidance’.  This is because the movements within the order of the standard are aligning controls to be grouped with others that they feel share a common theme among them.  There are some additional changes within those areas with specifics on the expectations of the physical aspect of payment card security.  I don’t foresee a lot of expensive projects associated with the changes in requirement 9, but that is an assumption made with no knowledge of your environment.  At the risk of sounding like a broken record, it is best to start talking to your trusted experts and any external sources early to determine the workstreams you have ahead of you coming up.

    As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.  Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website.  Thanks for taking the time to read my thoughts on PCI v4 Requirement 9.  We will continue to work through each of the PCI requirements each week.