PCI Physical Security

When it comes to PCI DSS compliance, it can be a daunting task to keep your business in line with ever-changing compliance standards.

That does not excuse you from attempting to be as compliant as possible. One of the most-overlooked steps in compliance is the physical access requirements set by the PCI DSS documentation. Below, we’ll outline a few tips to secure physical access and get you on the path to protecting yourself from breaches.

Lock up

The first place to begin securing data is the office in which the computer that processes and stores credit card data resides. Make sure that the space you have selected for your office area includes a lockable door. Ideally, a keypad or card swipe would be used to access this door, but it must be kept locked at all times. Keep in mind that compliance standards are not completely arbitrary, but are, rather, designed to keep data secure and to track those who do have access to this data. In addition to a lockable door and an access method which, in a perfect world, would log the individuals who access the office space by name and time of entry.


To further secure the data and track users who have access to the credit card-centric computer, it is recommended that security cameras be installed and trained on this computer to record every user who accesses the computer. Essentially, should there be a breach of your credit card data, you must be able to provide information regarding who has accessed the computer and when the individual accessed the information. Obviously, having a camera surveillance system represents several uses, but, should you have an existing system, ensure that at least one of those cameras has an unobstructed view of the office. Additionally, should no camera system exist currently, it may be worth your while to explore the purchase of such a system with an eye towards PCI compliance standards.

Your Network

Credit CardOutside the office, any computer networked with the credit card machine should likewise be secured. There are software-related security measures to consider, but, as we are just discussing physical setup requirements, we’ll leave those for another day. The terminals or computers networked with the credit card machine must have limited access, just like the office itself. USB ports should be disabled, preventing a potential data thief from inserting malware of spying software through these access points. Also, the network connections themselves must be secured. The network cable which runs from the terminal or computer to the network hub or switch has to be protected. Many use a box with a lock to cover plates with network connections, and seal the terminal connection so that it may not be easily removed. Regardless, the exposed network port provides a way for a potential thief to connect to the network and steal data straight from the credit card-processing pc.

PCI compliance is a complicated and ever-changing goal, but by examining the physical layout of your business, and thinking, for a moment, like someone who wants to steal your data, you can pinpoint areas of potential thievery quickly. By examining your business with an idea of limiting and tracking those who have access to your network and secure data, you can avoid many of the common PCI pitfalls.

Related Articles

How Credit Card Processing Works (And What You’re Paying For)
Securing the Store: How Your POS System Can Make Your Data Safer!
Decoding PCI Compliance: First Steps

Related Videos