PCI DSS Implementation Guide
•
Information Security Policy
Physical access considerations within a CDE are equally as important as electronic access, as it’s sometimes the case that individuals write cardholder information down or print hard copies when they shouldn’t. This requirement ensures all appropriate controls are in place to physically secure the CDE. A Physical Security Policy must be implemented to set out how the organization approaches the security of the buildings, offices, hardware etc. that make up the Cardholder Data Environment. Within the policy it must include what entry controls the organization must restrict access to the CDE and/or what surveillance mechanisms are in place, for example, video cameras. Physical and/or logical controls must be in place to protect the following components: • • • • •
Network jacks in public locations Wireless access points Gateways Handheld devices Networking or communication lines
Asset management is also a key part of this requirement. Recording information such as the make, model and serial number of assets is important to be able to correctly identify them. Procedures will also need to be implemented for the protection of assets going offsite in order to keep the Cardholder Data Environment secure. Periodic inspection of assets is also required to help the organization detect tampering which could compromise cardholder data. Training on how to inspect assets will need to be provided to the appropriate individuals. Finally, it is required that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.
3.10 Requirement 10: Track and monitor access to network resources and cardholder data Relevant Toolkit Documents • • • •
Network Security Policy Procedure for Monitoring the Use of IT Systems Security Incident Response Procedure Information Security Policy
Logging and the ability to track user activities are critical in preventing, detecting or minimizing the impact of a data compromise. This requirement sets out objectives to ensure all appropriate systems are actively logging relevant events and that these logs are being reviewed on a regular basis. A procedure for the monitoring of IT systems must be in place which explains what is monitored, when and how, including: • • •
Unauthorised access attempts Unusual use of privileged accounts, for example, administrator Attachment of unauthorised removable media devices Page 15 of 21
