Framework № PCI DSS 4.0.1 от 11.06.2024

9.1.1
Defined Approach Requirements: 
All security policies and operational procedures that are identified in Requirement 9 are: 

Customized Approach Objective:
Expectations, controls, and oversight for meeting activities within Requirement 9 are defined and adhered to by affected personnel. All supporting activities are repeatable, consistently applied, and conform to management’s intent. 

Defined Approach Testing Procedures:

Purpose:
Requirement 9.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 9. While it is important to define the specific policies or procedures called out in Requirement 9, it is equally important to ensure they are properly documented, maintained, and disseminated. 

Good Practice:
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For this reason, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle. 

Definitions:
Security policies define the entity’s security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives. 
Policies and procedures, including updates, are actively communicated to all affected personnel, and are supported by operating procedures describing how to perform activities. 

9.1.2
Defined Approach Requirements: 
Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. 

Customized Approach Objective:
Day-to-day responsibilities for performing all the activities in Requirement 9 are allocated. Personnel are accountable for successful, continuous operation of these requirements. 

Defined Approach Testing Procedures:

Purpose:
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities, and critical activities may not occur. 

Good Practice:
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. 
As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities. 
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix) 

9.2.1
Defined Approach Requirements: 
Appropriate facility entry controls are in place to restrict physical access to systems in the CDE. 

Customized Approach Objective:
System components in the CDE cannot be physically accessed by unauthorized personnel. 

Applicability Notes:
This requirement does not apply to locations that are publicly accessible by consumers (cardholders). 

Defined Approach Testing Procedures:

Purpose:
Without physical access controls, unauthorized persons could potentially gain access to the CDE and sensitive information, or could alter system configurations, introduce vulnerabilities into the network, or destroy or steal equipment. Therefore, the purpose of this requirement is that physical access to the CDE is controlled via physical security controls such as badge readers or other mechanisms such as lock and key. 

Good Practice:
Whichever mechanism meets this requirement, it must be sufficient for the organization to verify that only authorized personnel are granted access. 

Examples:
Facility entry controls include physical security controls at each computer room, data center, and other physical areas with systems in the CDE. It can also include badge readers or other devices that manage physical access controls, such as lock and key with a current list of all individuals holding the keys. 

9.2.1.1
Defined Approach Requirements: 
Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both) as follows: 

Customized Approach Objective:
Trusted, verifiable records are maintained of individual physical entry to, and exit from, sensitive areas. 

Defined Approach Testing Procedures:

Purpose:
Maintaining details of individuals entering and exiting the sensitive areas can help with investigations of physical breaches by identifying individuals that physically accessed the sensitive areas, as well as when they entered and exited. 

Good Practice:
Whichever mechanism meets this requirement, it should effectively monitor all entry and exit points to sensitive areas. 
Criminals attempting to gain physical access to sensitive areas will often try to disable or bypass the monitoring controls. To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be monitored to detect tampering. Similarly, physical access control mechanisms could be monitored or have physical protections installed to prevent them from being damaged or disabled by malicious individuals. 

9.2.2
Defined Approach Requirements: 
Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility. 

Customized Approach Objective:
Unauthorized devices cannot connect to the entity’s network from public areas within the facility 

Defined Approach Testing Procedures:

Purpose:
Restricting access to network jacks (or network ports) will prevent malicious individuals from plugging into readily available network jacks and gaining access to the CDE or systems connected to the CDE. 

Good Practice:
Whether logical or physical controls, or a combination of both, are used, they should prevent an individual or device that is not explicitly authorized from being able to connect to the network. 

Examples:
Methods to meet this requirement include network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks. 

9.2.3
Defined Approach Requirements: 
Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. 

Customized Approach Objective:
Physical networking equipment cannot be accessed by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Without appropriate physical security over access to wireless components and devices, and computer networking and telecommunications equipment and lines, malicious users could gain access to the entity’s network resources. Additionally, they could connect their own devices to the network to gain unauthorized access to the CDE or systems connected to the CDE. 
Additionally, securing networking and communications hardware prevents malicious users from intercepting network traffic or physically connecting  their own devices to wired network resources. 

9.2.4
Defined Approach Requirements: 
Access to consoles in sensitive areas is restricted via locking when not in use. 

Customized Approach Objective:
Physical consoles within sensitive areas cannot be used by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Locking console login screens prevents unauthorized persons from gaining access to sensitive information, altering system configurations, introducing vulnerabilities into the network, or destroying records. 

9.3.1
Defined Approach Requirements: 
Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including:

Customized Approach Objective:
Requirements for access to the physical CDE are defined and enforced to identify and authorize personnel. 

Defined Approach Testing Procedures:

Purpose:
Establishing procedures for granting, managing, and removing access when it is no longer needed ensures non-authorized individuals are prevented from gaining access to areas containing cardholder data. In addition, it is important to limit access to the actual badging system and badging materials to prevent unauthorized personnel from making their own badges and/or setting up their own access rules. 

Good Practice:
It is important to visually identify the personnel that are physically present, and whether the individual is a visitor or an employee. 

Examples:
One way to identify personnel is to assign them badges. 

9.3.1.1
Defined Approach Requirements: 
 Physical access to sensitive areas within the CDE for personnel is controlled as follows: 

Customized Approach Objective:
Sensitive areas cannot be accessed by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Controlling physical access to sensitive areas helps ensure that only authorized personnel with a legitimate business need are granted access. 

Good Practice:
Where possible, organizations should have policies and procedures to ensure that before personnel leaving the organization, all physical access mechanisms are returned, or disabled as soon as possible upon their departure. This will ensure personnel cannot gain physical access to sensitive areas once their employment has ended. 

9.3.2
Defined Approach Requirements: 
Procedures are implemented for authorizing and managing visitor access to the CDE, including:

Customized Approach Objective:
Requirements for visitor access to the CDE are defined and enforced. Visitors cannot exceed any authorized physical access allowed while in the CDE. 

Defined Approach Testing Procedures:

Purpose:
Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities and potentially to cardholder data. 
Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit. 

9.3.3
Defined Approach Requirements: 
Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration. 

Customized Approach Objective:
Visitor identification or badges cannot be reused after expiration. 

Defined Approach Testing Procedures:

Purpose:
Ensuring that visitor badges are returned or deactivated upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended. 

9.3.4
Defined Approach Requirements: 
Visitor logs are used to maintain a physical record of visitor activity both within the facility and within sensitive areas, including:

Customized Approach Objective:
 Records of visitor access that enable the identification of individuals are maintained. 

Defined Approach Testing Procedures:

Purpose:
A visitor log documenting minimum information about the visitor is easy and inexpensive to maintain. It will assist in identifying historical physical access to a building or room and potential access to cardholder data. 

Good Practice:
When logging the date and time of visit, including both in and out times is considered a best practice, since it provides helpful tracking information and provides assurance that a visitor has left at the end of the day. It is also good to verify that a visitor’s ID (driver’s license, etc.) matches the name they put on the visitor log. 

9.4.1
Defined Approach Requirements: 
All media with cardholder data is physically secured. 

Customized Approach Objective:
Media with cardholder data cannot be accessed by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk. 

9.4.1.1
Defined Approach Requirements: 
Offline media backups with cardholder data are stored in a secure location. 

Customized Approach Objective:
Offline backups cannot be accessed by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
If stored in a non-secured facility, backups containing cardholder data may easily be lost, stolen, or copied for malicious intent. 

Good Practice:
For secure storage of backup media, a good practice is to store media in an off-site facility, such as an alternate or backup site or commercial storage facility. 

9.4.1.2
Defined Approach Requirements: 
The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months. 

Customized Approach Objective:
The security controls protecting offline backups are verified periodically by inspection. 

Defined Approach Testing Procedures:

Purpose:
Conducting regular reviews of the storage facility enables the organization to address identified security issues promptly, minimizing the potential risk. It is important for the entity to be aware of the security of the area where media is being stored. 

9.4.2
Defined Approach Requirements: 
All media with cardholder data is classified in accordance with the sensitivity of the data 

Customized Approach Objective:
Media are classified and protected appropriately. 

Defined Approach Testing Procedures:

Purpose:
Media not identified as confidential may not be adequately protected or may be lost or stolen. 

Good Practice:
It is important that media be identified such that its classification status is apparent. This does not mean however that the media needs to have a “confidential” label. 

9.4.3
Defined Approach Requirements: 
 Media with cardholder data sent outside the facility is secured as follows:

Customized Approach Objective:
Media is secured and tracked when transported outside the facility. 

Defined Approach Testing Procedures:

Purpose:
Media may be lost or stolen if sent via a nontrackable method such as regular postal mail. The use of secure couriers to deliver any media that contains cardholder data allows organizations to use their tracking systems to maintain inventory and location of shipments. 

9.4.4
Defined Approach Requirements: 
Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). 

Customized Approach Objective:
Media cannot leave a facility without the approval of accountable personnel. 

Applicability Notes:
Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have “manager” as part of their title. 

Defined Approach Testing Procedures:

Purpose:
Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media. 

9.4.5
Defined Approach Requirements: 
Inventory logs of all electronic media with cardholder data are maintained. 

Customized Approach Objective:
Accurate inventories of stored electronic media are maintained. 

Defined Approach Testing Procedures:

Purpose:
Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time. 

9.4.5.1
Defined Approach Requirements: 
Inventories of electronic media with cardholder data are conducted at least once every 12 months. 

Customized Approach Objective:
Media inventories are verified periodically. 

Defined Approach Testing Procedures:

Purpose:
Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time. 

9.4.6
Defined Approach Requirements: 
Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:

Customized Approach Objective:
Cardholder data cannot be recovered from media that has been destroyed or which is pending destruction. 

Applicability Notes:
These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies. 

Defined Approach Testing Procedures:

Purpose:
If steps are not taken to destroy information contained on hard-copy media before disposal, malicious individuals may retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for hard-copy materials with information they can use to launch an attack. 
Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected. 

Good Practice:
Consider “to-be-shredded” containers with a lock that prevents access to its contents or that physically prevent access to the inside of the container. 

Further Information:
See NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization. 

9.4.7
Defined Approach Requirements: 
Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following:

Customized Approach Objective:
Cardholder data cannot be recovered from media that has been erased or destroyed. 

Applicability Notes:
These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for 
securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies. 

Defined Approach Testing Procedures:

Purpose:
If steps are not taken to destroy information contained on electronic media when no longer needed, malicious individuals may retrieve information from the disposed media, leading to a data compromise. For example, malicious individuals may use a technique known as “dumpster diving,” where they search through trashcans and recycle bins looking for information they can use to launch an attack. 

Good Practice:
The deletion function in most operating systems allows deleted data to be recovered, so instead, a dedicated secure deletion function or application should be used to make data unrecoverable. 

Examples:
Methods for securely destroying electronic media include secure wiping in accordance with industry-accepted standards for secure deletion, degaussing, or physical destruction (such as grinding or shredding hard disks). 

Further Information:
See NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization 

9.5.1
Defined Approach Requirements: 
POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following:

Customized Approach Objective:
The entity has defined procedures to protect and manage point of interaction devices. Expectations, controls, and oversight for the management and protection of POI devices are defined and adhered to by affected personnel. 

Applicability Notes:
These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). These requirements do not apply to:

Defined Approach Testing Procedures:

Purpose:
Criminals attempt to steal payment card data by stealing and/or manipulating card-reading devices and terminals. Criminals will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card data every time a card is entered. 
They will also try to add “skimming” components to the outside of devices, which are designed to capture payment card data before it enters the device—for example, by attaching an additional card reader on top of the legitimate card reader so that the payment card data is captured twice: once by the criminal’s component and then by the device’s legitimate component. In this way, transactions may still be completed without interruption while the criminal is “skimming” the payment card data during the process. 

Good Practice:
Entities may consider implementing protection from tampering and unauthorized substitution for: 

Further Information: 
Additional best practices on skimming prevention are available on the PCI SSC website. 

9.5.1.1
Defined Approach Requirements: 
An up-to-date list of POI devices is maintained, including:

Customized Approach Objective:
The identity and location of POI devices is recorded and known at all times. 

Defined Approach Testing Procedures:

Purpose:
Keeping an up-to-date list of POI devices helps an organization track where devices are supposed to be and quickly identify if a device is missing or lost. 

Good Practice:
The method for maintaining a list of devices may be automated (for example, a devicemanagement system) or manual (for example, documented in electronic or paper records). For on-the-road devices, the location may include the name of the personnel to whom the device is assigned. 

Examples:
Methods to maintain device locations include identifying the address of the site or facility where the device is located. 

9.5.1.2
Defined Approach Requirements: 
POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. 

Customized Approach Objective:
Point of Interaction Devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection. 
Defined Approach Testing Procedures:

Purpose:
Regular inspections of devices will help organizations detect tampering more quickly via external evidence—for example, the addition of a card skimmer—or replacement of a device, thereby minimizing the potential impact of using fraudulent devices. 

Good Practice:
Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device. 

Examples:
The type of inspection will depend on the device. For instance, photographs of devices known to be secure can be used to compare a device’s current appearance with its original appearance to see whether it has changed. Another option may be to use a secure marker pen, such as a UV light marker, to mark device surfaces and device openings so any tampering or replacement will be apparent. Criminals will often replace the outer casing of a device to hide their tampering, and these methods may help to detect such activities. Device vendors may also provide security guidance and “how to” guides to help determine whether the device has been subject to tampering. 
Signs that a device might have been tampered with or substituted include:

9.5.1.2.1
Defined Approach Requirements: 
The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. 

Customized Approach Objective:
POI devices are inspected at a frequency that addresses the entity’s risk. 

Applicability Notes:
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
Entities are best placed to determine the frequency of POI device inspections based on the environment in which the device operates. 

Good Practice:
The frequency of inspections will depend on factors such as the location of a device and whether the device is attended or unattended. For example, devices left in public areas without supervision by the organization’s personnel might have more frequent inspections than devices kept in secure areas or supervised when accessible to the public. In addition, many POI vendors include guidance in their user documentation about how often POI devices should be checked, and for what – entities should consult their vendors’ documentation and incorporate those recommendations into their periodic inspections. 

9.5.1.3
Defined Approach Requirements: 
Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:

Customized Approach Objective:
Personnel are knowledgeable about the types of attacks against POI devices, the entity’s technical and procedural countermeasures, and can access assistance and guidance when required. 

Defined Approach Testing Procedures:

Purpose:
Criminals will often pose as authorized maintenance personnel to gain access to POI devices. 

Good Practice:
Personnel training should include being alert to and questioning anyone who shows up to do POI maintenance to ensure they are authorized and have a valid work order, including any agents, maintenance or repair personnel, technicians, service providers, or other third parties. All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POI maintenance company, such as the vendor or acquirer, for verification. Many criminals will try to fool personnel by dressing for the part (for example, carrying toolboxes and dressed in work apparel), and could also be knowledgeable about locations of devices, so personnel should be trained to always follow procedures. 
Another trick that criminals use is to send a “new” POI device with instructions for swapping it with a legitimate device and “returning” the legitimate device. The criminals may even provide return postage to their specified address. Therefore, personnel should always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business. 

Examples:
Suspicious behavior that personnel should be aware of includes attempts by unknown persons to unplug or open devices. 
Ensuring personnel are aware of mechanisms for reporting suspicious behavior and who to report such behavior to—for example, a manager or security officer—will help reduce the likelihood and potential impact of a device being tampered with or substituted.