The Green Sheet Online Edition

March 22, 2010 • Issue 10:03:02

Digging into PCI - Part 9:
Restrict physical access to cardholder data

By Tim Cranny
Panoptic Security Inc.

This installment of our multipart series on the Payment Card Industry (PCI) Data Security Standard (DSS) drills down on the ninth of the PCI's 12 requirements. Herein, I will discuss the issues, what merchants need to do, and what ISOs, merchant level salespeople and other service providers can do to help merchants achieve compliance.

Requirement 9 is "Restrict physical access to cardholder data." It is the third and final part of the PCI section titled "Implement Strong Access Control Measures."

The first part of that section (Requirement 7) sets forth the general high-level principles of access control; Requirement 8 provides technical details about access controls for computers; Requirement 9 contains specifics on the other main area of access control: physical security.

What Requirement 9 is all about

The core idea behind Requirement 9 is simple: your computer systems and records are not safe unless you stop attackers from physically getting their hands on them. This is obviously true for paper records, but most people don't appreciate that it is also very much true for computers.

Too many merchants think breaches are always a long-distance, over-the-Internet thing. In reality, several types of attacks on computers that are almost unstoppable once underway can only be launched when the perpetrator is physically sitting at the computer under attack.

In this situation, expensive and sophisticated security software and devices are less useful than a good deadbolt or burglar alarm. What merchants need to do, and what PCI demands they do, is use the right physical security solutions (locks, alarms and security cameras, for example) in addition to the right software and devices.

Requirement 9 is an example of defense in depth, a core security principle that entails using multiple overlapping security solutions so that if one of them fails or is not activated, others can still protect you.

The challenges of Requirement 9

The good news is few challenges are associated with this requirement. Also, Requirement 9 is easy to understand: unlike most sections of the PCI DSS, the average merchant can read through the list of details and not get confused by technical jargon. Furthermore, it's easy to understand what the problem is, as well as the 'what' and 'why' of situations governed by the requirement.

In Requirement 9, as in other PCI requirements, merchants with more complex or risky environments face a heavier, more complicated documentation and compliance burden.

Merchants might think physical security is the one area where computers and electronic records don't make much of a difference, but that is not true. In reality, merchants with multiple computers and/or electronic records have much to identify and protect. They need to address the physical security of the computers themselves, network jacks, wireless access points and so on.

Physical media (paper documents, CDs, thumb-drives, et cetera) need a surprising amount of attention as well, since merchants must be careful in organizing and classifying these media correctly, as well as in thereafter protecting, tracking, controlling and even destroying sensitive ones, as required.

What merchants need to do

To comply with Requirement 9, merchants must make sure unauthorized people (including unauthorized staff) can't get their hands on anything sensitive, including POS equipment, computers, paper records, electronic files and so on. The associated tasks can be broken down into the following five general categories:

1. Make sure all paper and electronic media that contain cardholder data are physically secure (using obvious solutions like burglar alarms and locks on doors, offices, and/or filing cabinets, as appropriate).

2. Restrict access to protected areas: keep customers and potential attackers out of such areas. And make sure you can always tell the difference between customers, potential attackers and staff authorized to access protected areas.

3. Make sure you control how media (paper, CDs, thumb-drives, et cetera) are used. This is more complicated than it sounds and includes the following:
   • Knowing precisely which media have sensitive cardholder data on them (if you don't have a careful classification and tracking system in place, you have to protect all media as if it were sensitive all the time)

   • Distributing sensitive media and information only to people (inside the company and outside) who absolutely need them and have a right to them, and making sure the distribution system is secure (no sending it through the mail or via e-mail without encryption)

   • Controlling who can take such media out of secured areas

   • Restricting who can go in to secured areas

   • Keeping logs on access attempts and requests for permission to access records
4. Protect backups of sensitive data as carefully as you do the original data.

5. Destroy sensitive data carefully when it is no longer needed for business or legal reasons. Destruction is not merely throwing something into a garbage can or recycle bin: it means destroying the physical object.

Paper should be cross-cut shredded, burned or pulped. Hard disks, thumb-drives and so forth should be physically smashed, not just erased through reformatting. (Memory devices are getting cheaper every month, so it isn't expensive to follow such a policy. It can be far more expensive not to do so.)

What you need to do for your merchants

Requirement 9 is one of the simplest, do-it-yourself parts of PCI compliance, so there are relatively few opportunities for ISOs and other portfolio owners to do much good (or harm, for that matter).

A small percentage of merchants might want assistance finding point solutions like shredders or video cameras, but other parts of PCI DSS compliance will be far more painful and demanding.

So Requirement 9 should be a minor background issue most of the time.

ISOs and other merchant service providers should emphasize to merchants that, although it is simple, Requirement 9 is just as critical as the more complicated parts of PCI, and then spend most of their time helping merchants ensure that their PCI programs can deal with the messier, more demanding aspects.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599 3454.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.