{"id":77,"date":"2022-11-06T22:35:00","date_gmt":"2022-11-07T03:35:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=77"},"modified":"2022-11-06T17:46:38","modified_gmt":"2022-11-06T22:46:38","slug":"intro-to-pci-version-4-requirement-9","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/","title":{"rendered":"Intro to PCI version 4: Requirement 9"},"content":{"rendered":"\n<p>In PCI requirement 9 is on physical security of data assets.\u00a0 \u00a0Protecting the physical aspect of data integrity in your environment and after it potentially leaves your environment as well.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>On the surface physical security looks the easiest.\u00a0 Check IDs so that people pretending to be employees don\u2019t walk in and take your stuff!\u00a0 If only it was that easy, but that isn\u2019t the entirety of what is \u2018physical security\u2019 in the data world.\u00a0 Digital assets can be modified and\/or compromised through \u2018physical\u2019 interaction with the media used for storage \u2013 which is the other part of the data security equation.\u00a0 Protecting the physical equipment from actual theft is important, but so is protecting the data on equipment\/items that are deemed no longer needed for business purposes.\u00a0 This is the crux of physical security in the modern data era.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 9 in v4<\/h2>\n\n\n\n<p>There isn\u2019t too much new in requirement 9, from the net-new perspective. The new controls in requirement 9 of v4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>9.1.2 &#8211; Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.es to the existing controls (surprised?) &lt;- literally cut and paste this line from the post on requirement 8 (which was cut from 7, etc.)<\/li>\n\n\n\n<li>9.5.1.2.1 &#8211; A targeted risk analysis is performed to determine frequency of periodic POI device inspections \u2013 The entire concept of the Targeted Risk Analysis is new to PCI.\u00a0 We will cover the details in a later post.\n<ul class=\"wp-block-list\"><\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes in 9 v4<\/h2>\n\n\n\n<p>Requirement 9 is following the previous requirements we have discussed by focusing on managerial accountability and awareness, but is also moving in a direction to align things in ways to make it easier to manage and make more sense for internal operations.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>9 \u2013 Clarification\/guidance \u2013 In the overview, clarified the three different areas covered in Requirement 9 (sensitive areas, CDE, and facilities). Throughout, clarified whether each requirement applies to the CDE, sensitive areas, or facilities.<\/li>\n\n\n\n<li>9.1 \u2013 Now 9.2.4 \u2013 Clarification\/guidance &#8211; Added a requirement to address a former testing procedure bullet to restrict access to consoles in sensitive areas via locking when not in use.<\/li>\n\n\n\n<li>9.2 \u2013 9.3.1\/9.3.2 \u2013 Structure\/format &#8211; Split requirement for identifying personnel and visitors into separate requirements, Requirements 9.3.1 and 9.3.2 respectively.<\/li>\n\n\n\n<li>9.4\/9.4.1\/9.4.2 \u2013 Now 9.3.2 \u2013 Structure\/format &#8211; Combined requirements for authorizing and managing visitor access together in Requirement 9.3.2.<\/li>\n\n\n\n<li>9.5\/9.5.1 \u2013 Now 9.4.1\/9.4.1.1\/9.4.1.2 \u2013 Clarification\/guidance &#8211; Removed requirement for procedures to physically secure media (9.5) and merged the procedures into the related requirements. Split requirement for storing media backups in a secure location and reviewing the security of the offline backup location at least every 12 months into 2 requirements.<\/li>\n\n\n\n<li>9.6\/9.6.1\/9.6.2\/9.6.3 \u2013 Now 9.4.2\/9.4.3\/9.4.4 &#8211; Clarification\/guidance &#8211; Removed requirement for procedures for internal and external distribution of media (9.6) and merged the procedures into the related requirements.<\/li>\n\n\n\n<li>9.7\/9.7.1 \u2013 Now 9.4.5\/9.4.5.1 &#8211; Clarification\/guidance &#8211; Removed requirement for procedures for strict control over storage and accessibility of media (9.7) and merged the procedures into the related requirements. Split requirement for maintaining media inventory logs and conducting media inventories annually into 2 requirements.<\/li>\n\n\n\n<li>9.8\/9.8.1\/9.8.2 \u2013 Now 9.4.6\/9.4.7 \u2013 Clarification\/guidance &#8211; Removed requirement for procedures for media destruction when media is no longer needed (9.8) and merged the procedures into the related requirements. Clarified options for destroying media when no longer needed includes either destruction of electronic media or rendering cardholder data unrecoverable.<\/li>\n\n\n\n<li>9.9 \u2013 Now 9.5.1 \u2013 Clarification\/guidance &#8211; Clarified the focus of the requirement is on \u201cPoint-of-interaction (POI) devices that capture payment card data via direct physical interaction with the payment card form factor.\u201d Clarified that this requirement applies to deployed POI devices used in card-present transactions.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Even though most of the changes in R9 look to be structural, since they are combining controls and moving them around, the council considers them to be \u2018clarification\u2019 or additional \u2018guidance\u2019.&nbsp; This is because the movements within the order of the standard are aligning controls to be grouped with others that they feel share a common theme among them.&nbsp; There are some additional changes within those areas with specifics on the expectations of the physical aspect of payment card security.&nbsp; I don\u2019t foresee a lot of expensive projects associated with the changes in requirement 9, but that is an assumption made with no knowledge of your environment.&nbsp; At the risk of sounding like a broken record, it is best to start talking to your trusted experts and any external sources early to determine the workstreams you have ahead of you coming up.<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.\u00a0 Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.\u00a0 Thanks for taking the time to read my thoughts on PCI v4 Requirement 9.\u00a0 We will continue to work through each of the PCI requirements each week.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In PCI requirement 9 is on physical security of data assets.\u00a0 \u00a0Protecting the physical aspect of data integrity in your environment and after it potentially leaves your environment as well. Overall Thoughts On the surface physical security looks the easiest.\u00a0 Check IDs so that people pretending to be employees don\u2019t walk in and take your &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 9&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-77","post","type-post","status-publish","format-standard","hentry","category-shawn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 9 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 9 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"In PCI requirement 9 is on physical security of data assets.\u00a0 \u00a0Protecting the physical aspect of data integrity in your environment and after it potentially leaves your environment as well. Overall Thoughts On the surface physical security looks the easiest.\u00a0 Check IDs so that people pretending to be employees don\u2019t walk in and take your &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 9&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-07T03:35:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 9\",\"datePublished\":\"2022-11-07T03:35:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/\"},\"wordCount\":812,\"articleSection\":[\"Shawn\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/\",\"name\":\"Intro to PCI version 4: Requirement 9 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-11-07T03:35:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/06\\\/intro-to-pci-version-4-requirement-9\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 9\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 9 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 9 - Shawn&#039;s Blog","og_description":"In PCI requirement 9 is on physical security of data assets.\u00a0 \u00a0Protecting the physical aspect of data integrity in your environment and after it potentially leaves your environment as well. Overall Thoughts On the surface physical security looks the easiest.\u00a0 Check IDs so that people pretending to be employees don\u2019t walk in and take your &hellip; Continue reading \"Intro to PCI version 4: Requirement 9\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-11-07T03:35:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 9","datePublished":"2022-11-07T03:35:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/"},"wordCount":812,"articleSection":["Shawn"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/","name":"Intro to PCI version 4: Requirement 9 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-11-07T03:35:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/06\/intro-to-pci-version-4-requirement-9\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 9"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/77","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=77"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/77\/revisions"}],"predecessor-version":[{"id":78,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/77\/revisions\/78"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=77"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=77"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=77"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}