O'Currance Teleservices - Requirement 9

Requirement 9: Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.

9.1.1 Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law
9.1.2 Restrict physical access to publicly accessible network jacks
9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.

9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. "Employee" refers to full-time and part-time employees, temporary employees and personnel, and consultants who are "resident" on the entity's site. A "visitor" is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
9.3 Make sure all visitors are handled as follows:

9.3.1 Authorized before entering areas where cardholder data is processed or maintained
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration.

9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law.
9.5 Store media back-ups in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility.
9.6 Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data.
9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following:

9.7.1 Classify the media so it can be identified as confidential
9.7.2 Send the media by secured courier or other delivery method that can be accurately tracked.

9.8 Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals).
9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data.

9.9.1 Properly inventory all media and make sure it is securely stored.

9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows:

9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials
9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed


Home Experience Services Overview Guarantee Our Technology The O'Currance Edge Technology Partners About Us Company History The O'Currance Model Executive Team Senior Mngt Team The Board Contact Us