Credit cards hold a remarkable amount of cardholder data. If that data were to fall into the wrong hands, it could ruin a persons life. Now, imagine your company has a database of millions of credit cards that are unique to their cardholder. If that database were to be remotely breached via a phishing scam or hack, your entire database of payment cards could be stolen in a blink of an eye. In 2012 alone, attackers posing as legitimate service people substituted the payment devices and subsequently compromised three large retailers. It was found that 39% of organizations had been breached through insecure remote access (which was the single largest origin of compromise that organizations encountered).
To limit these breaches, the Payment Card Industry Data Security Standard (PCI DSS) information security standards have specified 12 requirements that companies of varying size are required to comply with on an annual basis. We will address requirement #9, which addresses sensitive customer authentication data, the restriction of physical access, and much more. Adhering to PCI DSS Requirement 9 is paramount to maintaining the integrity of your physical and digital data and ensuring that your cardholder data environment (CDE) is secure.
What is Sensitive Authentication Data?
A basic tenet of information security in any system is to prevent or limit physical access to information storage media as much as possible. Physical access to the hardware storing cardholder data such as personal account numbers gives thieves an easy way to circumvent every protection measure at the edge of your network. This physical access is in the form of sensitive authentication data (SAD) which is primarily security-related information that includes card validation codes and values (CVV2 and CVC2 data). SADs also include full magnetic-stripe data such as your personal identification number that is used to authenticate your access and/or authorize payment card transactions.
SAD must not be stored after authorization which is the foundation for the implementation of PCI requirement 9. For added security, organizations must configure, examine, and confirm system settings and all necessary configurations for system components to ensure appropriate SAD protections:
- Ensure that the full contents of any track from the magnetic stripe on the back of card or equivalent data on a chip are not stored after authorization.
- Ensure that the 3-digit or 4-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization.
- Ensure that PINs and encrypted PIN blocks are not stored after authorization.
Types of Credit Verification Code Data
Card Code Verification (CCV) provides an extra measure of security against fraudulent credit card transactions. The Card Code is a security code that is printed on a credit card’s signature panel in reverse italics, or following the full card number on the front of the card. These are known as card not present transactions, which include virtually every purchase you make while shopping online during e-commerce transactions. Card security codes were instituted in the late 1990s and early 2000s in direct response to the growth in online shopping. MasterCard was the first company to adopt them in 1997, followed by American Express in 1999 and Visa in 2001. Today, including card security codes on payment cards is standard procedure for all major card issuers.
The codes vary according to the network, and each network has its own name for the security feature:
- Visa: Card Verification Value 2 (CVV2)
- MasterCard: Card Validation Code 2 (CVC2)
- Discover: Card Member ID (CMID)
- American Express: Card Identification Number (CID)
It is not permitted to retain CVCs or values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. It should be noted that this card verification code/value retention is prohibited under PCI DSS Requirement 3.2.
Assess your PCI compliance
PCI DSS Requirement 9
PCI DSS Requirement 9 is fully dedicated to halting the cardholder data theft (which is not limited to remote hacking instances). Criminals often attempt to access cardholder data by physically stealing hardware that contains SAD (i.e. via a database server) or paper receipts with cardholder data (which is quite common in retail or hospitality industries). Another very common practice is tampering with or substituting legitimate card reading devices.
PCI DSS Requirement 9, with its 10 sub-requirements, was created to help protect cardholder data from a physical point of view. Each of the sub-requirements is dedicated to a different aspect of the physical security and includes detailed explanations on how to complete tasks that comprise the entire requirement:
| Section | Requirements |
| 9.1 | Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. |
| 9.2 | Develop procedures to easily distinguish between onsite personnel and visitors, especially in areas where cardholder data is accessible. GIVE EVERY USER A UNIQUE ID. Every user with access to the Cardholder Data Environment must have a unique ID. This allows a business to trace every action to a specific individual. |
| 9.3 | Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration. |
| 9.4 | Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, their company and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law. |
| 9.5 | Store media back-ups in a secure location, preferably off site. |
| 9.6 | Physically secure all media. |
| 9.7 | Maintain strict control over the internal or external distribution of any kind of media. Classify media so the sensitivity of the data can be determined. |
| 9.8 | Ensure that management approves all media moved from a secured area, especially when media is distributed to individuals. |
| 9.9 | Maintain strict control over the storage and accessibility of media. |
| 9.10 | Destroy media when it is no longer needed for business or legal reasons. |
Requirement 9 also covers physical security pertaining to media containing SAD such as electronic media such as CDs/DVDs, hard drives, USB keys, and tape backup. Sensitive areas that require heightened physical security to protect SAD include data centers, server rooms, call centers, network equipment locations, etc. but do not include public-facing areas such as an in-store cashier. Facility controls must be implemented for individuals that enter and exit such facilities, such as a documented and formalized provisioning and de-provisioning process, closed circuit monitoring and recording, procedures for safely storing and retrieving media, along with a laundry list of other essential requirements.
Limiting Access To Personnel
Full-time, part-time, and temporary employees, as well as contractors and consultants who are physically present on the entitys premises are the personnel who are the primary focus for Requirement 9. Vendors, guests of onsite personnel, service workers, or anyone who needs to enter the facility for a short duration (usually no more than 24 hours) are referred to as visitors. All paper and electronic media containing cardholder data are classified as media under Requirement 9.
Physical access should be restricted for all onsite personnel, visitors and media personnel. Onsite personnel include all individuals who work as employees of the company in any way, visitors are outsiders who visit the faculty because of any work-related issue or as guests, and media includes all print and electronic media. Access must be controlled in such a manner that only those employees should be allowed to visit the sensitive areas, who have a work-related need and are properly authorized. Instructions that your organization should follow to maintain compliance with PCI DSS Requirement 9 based on limiting access to personnel are as follows:
- All visitors should be verified before granting access and must be escorted throughout their visit to areas holding cardholder data.
- Visitor identification such as visitor badges must be identifiable from the inside personnel and should be expired after a certain condition is met.
- Visitors must be asked to return their badges before leaving the facility.
- Maintain a visitor log to keep a record of all individuals visiting the areas holding sensitive information. These logs must mention the name of the visitor, the company on whose behalf they are visiting and the inside personnel who granted them access.
- Keep the log records for a minimum of 3 months.
Once you ascertain which systems you must protect, put controls in place via a data security solution to restrict access to onsite personnel, such as badge readers and keyed locks. Create an inventory of your systems that currently store, process, transmit or can affect the security of your CDE will help you protect your customers SAD. List the applications running on these systems, including their version number to ensure that youre always on top of known vulnerabilities. Then, identify the physical locations of these systems and who should have access to them.
When visitors need to enter sensitive areas, make sure they are authorized and always escorted by an employee. You will also need to implement automated lockout/timeout controls on workstations, and periodically inspect all devices. When an authorized individual is requesting access to sensitive areas, ensure that all access permissions are taken back from him/her after they have finished their session. This ensures that they cannot get access to the CDE again without authorized approval. You should also verify that none of the recently terminated employees of the organization are trying to gain access to these areas.
Most importantly of all: you must train your staff regularly about physical security, policies and procedures, and social engineering. Employees may think physical security only applies after hours but
If youre not careful with how you store your cardholder data and SAD, your company might be unconsciously painting a bullseye on its back for hackers and/or uncouth employees to exploit. Case in point, in 2017, a contracted employee at Anthem stole the personal health information (including Social Security and Medicare information data) of more than 18,000 Anthem Medicare enrollees. All this contractor had to do was copy the data from Anthem systems and email it to his personal email address for distribution to the dark web.
Closing Thoughts
Organizations are required to not only achieve 100% PCI DSS compliance always, but also to maintain it year after year. To protect your company against data breaches, you need the most up-to-date cybersecurity methods and personnel trained to protect your CDE. With 25% of data breaches originating from internal employees and 66% of breaches pertaining to malicious malware installed via employee email attachments based on a 2017 Verizon Data Breach Investigation Report, it would behoove your organization to limit personnel access and train them to deflect potential CDE intrusions. When it comes to protecting your CDE and protecting data in transit, you need to maintain compliance with all sub-requirements of PCI DSS Requirement 9 as well as the other 11 PCI DSS requirements on an ongoing basis to help you reduce PCI scope and maintain a strong cybersecurity stance.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
