3.12 Requirement 9

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

PCI DSS: Payment Card Industry Data Security Standard

Course

Time

3 hours 37 minutes

Difficulty

Beginner

CEU/CPE

Video Transcription

00:00

welcome to the cyber ery demystifying PC idea says compliance course,

00:06

this model will focus on the goals of the P. C. I. D. S s and the requirements associated with it.

00:13

This video introduces you to requirement night.

00:16

We'll talk about the requirement and the nuances associated with how do you handle physical security within the CD?

00:24

The learning objective of this video is to discuss how to implement physical security controls of the CD.

00:32

The requirement nine Group is all about physical security.

00:36

There's an old adage when it comes to protecting systems.

00:39

If the adversary has physical access to your device, the adversary has total access to your device,

00:45

and that is pretty much true.

00:47

Most security controls air rendered ineffective If the bad guy can physically control your system.

00:53

So the P C I s S C has come up with a number of standards for merchants to implement physical barriers to protect systems.

01:03

So requirement 911 is a little ambiguous.

01:07

What's considered to be a sensitive area

01:10

PC? I defined sensitive areas as any data center, server room or any area that houses systems that store process or transmit cardholder data.

01:19

Note that This excludes areas where only point of sale terminals are present, such as the cashier areas of a retail store.

01:27

This exclusion was included to recognize that set controls may not be practical or permitted in public basing areas where cardholders air using their own payment cards.

01:38

The purpose of the 911 requirement is to ensure that all entry and exit points the sensitive areas are controlled and monitored,

01:46

and that all individuals who physically access the area are identified.

01:52

So the access control mechanism needs to be one where you contract who is entering the identified sensitive areas.

01:57

Typically, this is in the form of a badge reader of some type.

02:05

If you have physical network Jax that can be accessed by the public, you need to take measures to disable them.

02:10

This could be at the switch port layer or just unplugging the jacket. The network closets.

02:15

You do not want to allow an attacker. Thio have potential unfettered access to the CD.

02:23

The same logic applies to 93 or 913

02:27

If an attacker could just plug into your network devices or the wireless access points, you could circumvent a lot of lot of your security controls.

02:36

Access points should be physically protected from someone potentially plugging directly into it.

02:40

Just put your access point in places that is not easily accessible to an attacker.

02:49

Physically protecting your environment relies heavily on proper training and procedures.

02:53

Training will have a recurring theme throughout. Requirement not,

02:58

it begins by putting in place, processes toe, identify personnel and outsiders and then training your staff to be able to quickly differentiate them.

03:07

Then you will be able to quickly tell if someone is doing things in your environment that they shouldn't be doing.

03:12

An auditor will just be looking to see that you have these processes in place. But crack best practice dictates that you have these badges in such a way that it will be difficult to copy or circumvent.

03:23

Relocation of access is important.

03:25

A terminate employees should not be able to maintain his or her batch.

03:30

An employee should not be able to quickly to turn or should be able to quickly determine if the visitor has overstayed the welcome or is in a place that they shouldn't be.

03:40

Much like the requirements in the identity management section, each employee must be explicitly greater access to sensitive areas based on job functions.

03:51

The auditor will be reviewing your processes and then validate that you are following them.

03:55

A lot of merchants failed the relocation portion of access rights because the system's tied to user account often aren't attached to physical access systems,

04:05

so organizations often forget to do both.

04:12

In all sensitive areas, visitors need to be escorted

04:15

as mentioned earlier. Visitors need to be given some identification that quickly identifies them as a visitor and has some method of expiration.

04:25

You need to collect the temporary badges, given the visitors before they leave or at the time of expiration,

04:30

and you must maintain a visitor log that is maintained for at least three months.

04:39

You must have in place processes and procedures around the security of your physical media's and backup

04:45

sensitive data could reside on your media and need to be protected as such.

04:48

Offsite storage of backups is not required, but preferred.

04:53

As long as you're able to physically protect your systems,

04:57

protect your backups, then it's fine.

05:00

Make sure you document that you have reviewed your policy every year.

05:06

The maintaining of the distribution of media requirements is relatively straightforward.

05:13

You need to classify your media so that the nature of the data can be determined, and it is not access by anyone who does not have explicit authorization.

05:20

If your ship your media, it needs to be tracked.

05:24

Also, any distribution of media needs to be explicitly approved.

05:31

Maybe you need to be able to track all of your media so that you can provide adequate protection for it all.

05:39

Also, if media has lost, that could be accounted for more quickly, and you'll be able to put in place a process to protect yourself from its potential disclosure.

05:50

You also need to be able to securely destroy media that could potentially hold cardholder data.

05:57

You need to be able to use means of destruction that make it infeasible to put the information back together.

06:02

So for a shredder, it needs to be a cross cut at a minimum.

06:06

For digital data, secure wiping software de grousing sufficient destruction of the media is acceptable.

06:18

The 99 grouping is to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution

06:28

requirement 991

06:30

You can't physically protect something if you can't account for.

06:33

You can't protect it physically or otherwise. If you don't know where it or what it ISS,

06:39

you need to be able to account for all of the devices in your environment.

06:44

PC I mandates that you at least track the make model location and serial number or unique identifying of each of these devices.

06:53

Auditors will be taken a sample of devices in the environment to verify that you're tracking them in inventory.

07:00

Auditors will interview personnel to verify the list of devices is updated when devices are added, relocated, decommissioned et cetera.

07:11

Many breaches occur because adversary was able to compromise the physical devices, scanners, card readers, etcetera.

07:18

You should have in place processes to regularly check for tampering of your devices.

07:26

The 993 requirement is again about training.

07:30

Your staff needs to know what to do in all types of scenarios where an attacker may be trying to exploit the people.

07:36

The training typically happens annually, and that is enough for the requirement. But really to be ongoing,

07:44

they should be able to identify suspicious behavior and know what to do. In response to that

07:51

and the final requirement of this group is document document document.

07:55

All of your policies and procedures need to be put in writing and deliver to all those that are impacted.

08:03

So in summary, we discussed all of the mandates associated with PC I. Requirement nine

08:07

Requirement nine is all about how to physically secure your CD and training your personnel on howto handle adversaries who may be trying to infiltrate in the environment.

08:18

Okay, quick quiz.

08:20

How long should you store recorded footage from video cameras?

08:24

A. Three months

08:26

Be two months

08:28

C 12 months

08:30

D six months.