9.3.1
Defined Approach Requirements:
Procedures are implemented for authorizing and managing physical access of personnel to the CDE, including:
- Identifying personnel.
- Managing changes to an individual’s physical access requirements.
- Revoking or terminating personnel identification.
- Limiting access to the identification process or system to authorized personnel.
Customized Approach Objective:
Requirements for access to the physical CDE are defined and enforced to identify and authorize personnel.
Defined Approach Testing Procedures:
- 9.3.1.a Examine documented procedures to verify that procedures to authorize and manage physical access of personnel to the CDE are defined in accordance with all elements specified in this requirement.
- 9.3.1.b Observe identification methods, such as ID badges, and processes to verify that personnel in the CDE are clearly identified.
- 9.3.1.c Observe processes to verify that access to the identification process, such as a badge system, is limited to authorized personnel.
Purpose:
Establishing procedures for granting, managing, and removing access when it is no longer needed ensures non-authorized individuals are prevented from gaining access to areas containing cardholder data. In addition, it is important to limit access to the actual badging system and badging materials to prevent unauthorized personnel from making their own badges and/or setting up their own access rules.
Good Practice:
It is important to visually identify the personnel that are physically present, and whether the individual is a visitor or an employee.
Examples:
One way to identify personnel is to assign them badges.
