Digital security controls protect against remote attacks, but cardholder data can also be compromised physically — through unauthorized access to server rooms, theft of storage media, installation of card skimming devices on payment terminals, or physical access to workstations in the CDE. Requirement 9 addresses all forms of physical threat to the CDE.
Physical Access Controls to CDE Facilities
Areas where cardholder data is processed or stored — server rooms, data centers, network equipment rooms, and anywhere that CHD on paper or digital media exists — must be protected with physical access controls that restrict and monitor entry.
| Physical Control Type | Requirements | Evidence for QSA |
|---|---|---|
| Entry control systems | Badge readers, PINpad, biometric, or security guards at CDE access points | Access logs, badge system configuration, visitor logs |
| Visitor management | Visitors must be authorized, badged differently from employees, and escorted | Visitor log with entry/exit times, badge policies |
| Badge and access review | Access rights to physical CDE areas reviewed quarterly | Review records signed by responsible manager |
| Video surveillance | Cameras at all CDE entry/exit points and sensitive areas | Camera placement documentation, retention policy (90 days minimum) |
| Media storage | Sensitive media must be stored in physically secure, locked storage | Physical security inspection, media inventory |
Media Protection and Destruction
Physical media containing CHD — hard drives, backup tapes, USB drives, printed reports — must be protected throughout their lifecycle and destroyed securely when no longer needed.
- All physical media containing CHD must be classified and inventoried
- Media sent outside the facility must be sent with documented authorization and tracked via secure courier
- Hard drives and other storage media must be destroyed using NIST 800-88 compliant methods before disposal
- Paper media containing CHD must be cross-cut shredded, burned, or rendered unreadable by a certified destruction service
- Destruction must be documented — certificates of destruction maintained
Point of Interaction (POI) Device Security
Payment terminals (POI devices) at physical checkout locations are a prime target for card skimming attacks. Criminals install hardware skimmers inside or over legitimate payment terminals to capture magnetic stripe data, PINs, and track data. Requirement 9 contains specific requirements for POI device management.
POI Device Inventory
All POI devices in the CDE must be inventoried with model, serial number, location, and assigned user. The inventory must be reviewed at least annually and updated whenever devices are moved, added, or replaced.
POI Inspection Program
Personnel working at checkout locations must be trained to inspect POI devices periodically (at least once per 3 months). Inspections should look for: tampering (broken seals, adhesive residue, unusual attachments), substituted devices (serial number doesn't match inventory), and attached skimming overlays.
Training Personnel
All personnel who interact with POI devices must be trained on: recognizing signs of tampering, procedures to follow if tampering is suspected, and how to verify device identity before accepting a replacement.
| IMPORTANT | Card skimming at POI devices remains one of the most financially impactful forms of card fraud globally. In Indonesia, ATM and POS skimming incidents have been documented across major banks and retailers. The POI inspection program — while seemingly simple — has demonstrably reduced skimming incidents at organizations that implement it rigorously. |
| For Indonesian banks and retailers with large POI device estates across hundreds of branches, the physical inspection requirement is operationally significant. We recommend building the inspection log directly into the branch security checklist and using tamper-evident seals with unique serial numbers to make verification faster and more reliable. |