Once you know what systems you need to protect, put controls in place that can log and restrict access to them.
*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.
Having electronic access on doors, using cameras to monitor all entries and exits to secure areas, implementing multiple levels of access based on a business need, and approving visitor/employee access are all standard controls for physical security.
Once you know what systems you need to protect, put controls in place that can log and restrict access to them (e.g., badge readers). A good risk assessment would determine an appropriate amount of money to spend on controls necessary to mitigate the identified risk. Something that companies often overlook is the access given to delivery personnel for a night drop. Do you know if that delivery person locked the doors when they left?
Today, you see more organizations hosting their systems in outsourced data centers. Data centers generally have great physical security because they pay attention to the basics. They use cameras to monitor all entries and exits, have multiple levels of access (e.g., lobby, mantrap, hallways, data floors, and cages) to segment physical areas and limit access only to individuals who have been authorized. They also use different levels of authentication requiring both badge and biometrics (e.g., fingerprint, retina) for access.
Once you know what systems you need to protect, put controls in place that can log and restrict access to them.
Digital IP-based cameras are becoming more common, making it easier and more cost effective to deploy and monitor camera systems. These cameras can take snapshots of people and then send those snapshots to security supervisors for verification.
It’s also necessary to protect card-swipe devices. Merchants must monitor these devices for tampering or complete replacement. Make sure attackers don’t substitute, bypass, or steal your terminal. You and your employees must know what the tamper properties are (e.g., seals, appearance, weight) and test them often. Security best practice is to mount devices with tamper-resistant stands, screws and tape. If you are using a validated P2PE solution, make sure to follow the physical security requirements located in the corresponding P2PE Instruction Manual.
Lastly, it’s important to have good security training for your management and employees. Help them understand malicious conduct and motivate them to report suspicious behavior and violations of company policy and procedures.
.svg)
