Framework № PCI DSS 4.0 от 01.03.2022

9.2.1
Defined Approach Requirements: 
Appropriate facility entry controls are in place to restrict physical access to systems in the CDE. 

Customized Approach Objective:
System components in the CDE cannot be physically accessed by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Without physical access controls, unauthorized persons could potentially gain access to the CDE and sensitive information, or could alter system configurations, introduce vulnerabilities into the network, or destroy or steal equipment. Therefore, the purpose of this requirement is that physical access to the CDE is controlled via physical security controls such as badge readers or other mechanisms such as lock and key. 

Good Practice:
Whichever mechanism meets this requirement, it must be sufficient for the organization to verify that only authorized personnel are granted access. 

Examples:
Facility entry controls include physical security controls at each computer room, data center, and other physical areas with systems in the CDE. It can also include badge readers or other devices that manage physical access controls, such as lock and key with a current list of all individuals holding the keys. 

9.2.1.1
Defined Approach Requirements: 
Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both) as follows: 

Customized Approach Objective:
Trusted, verifiable records are maintained of individual physical entry to, and exit from, sensitive areas. 

Defined Approach Testing Procedures:

Purpose:
Maintaining details of individuals entering and exiting the sensitive areas can help with investigations of physical breaches by identifying individuals that physically accessed the sensitive areas, as well as when they entered and exited. 

Good Practice:
Whichever mechanism meets this requirement, it should effectively monitor all entry and exit points to sensitive areas. 
Criminals attempting to gain physical access to sensitive areas will often try to disable or bypass the monitoring controls. To protect these controls from tampering, video cameras could be positioned so they are out of reach and/or be monitored to detect tampering. Similarly, physical access control mechanisms could be monitored or have physical protections installed to prevent them from being damaged or disabled by malicious individuals. 

9.2.2
Defined Approach Requirements: 
Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility. 

Customized Approach Objective:
Unauthorized devices cannot connect to the entity’s network from public areas within the facility 

Defined Approach Testing Procedures:

Purpose:
Restricting access to network jacks (or network ports) will prevent malicious individuals from plugging into readily available network jacks and gaining access to the CDE or systems connected to the CDE. 

Good Practice:
Whether logical or physical controls, or a combination of both, are used, they should prevent an individual or device that is not explicitly authorized from being able to connect to the network. 

Examples:
Methods to meet this requirement include network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks. 

9.2.3
Defined Approach Requirements: 
Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. 

Customized Approach Objective:
Physical networking equipment cannot be accessed by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Without appropriate physical security over access to wireless components and devices, and computer networking and telecommunications equipment and lines, malicious users could gain access to the entity’s network resources. Additionally, they could connect their own devices to the network to gain unauthorized access to the CDE or systems connected to the CDE. 
Additionally, securing networking and communications hardware prevents malicious users from intercepting network traffic or physically connecting  their own devices to wired network resources. 

9.2.4
Defined Approach Requirements: 
Access to consoles in sensitive areas is restricted via locking when not in use. 

Customized Approach Objective:
Physical consoles within sensitive areas cannot be used by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
Locking console login screens prevents unauthorized persons from gaining access to sensitive information, altering system configurations, introducing vulnerabilities into the network, or destroying records.