What is PCI DSS? Requirement 9 + Camera Compliance

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is the consortium-managed compliance standard for any organization that stores, processes, or transmits cardholder data. Requirement 9 covers physical security: restrict physical access to systems holding cardholder data, monitor entry to data centers and server rooms, retain video for at least three months, and handle media (including backup tapes) under documented chain-of-custody. PCI DSS 4.0 (effective March 2024, mandatory March 2025) tightens these requirements and adds explicit MFA expectations at sensitive zones.

The short definition

PCI DSS is managed by the Payment Card Industry Security Standards Council (PCI SSC), a consortium founded by Visa, Mastercard, American Express, Discover, and JCB. The standard is contractually required by the card brands and acquiring banks, not government-mandated, but the enforcement has teeth: non-compliance can mean loss of merchant processing privileges plus per-incident fines that hit six and seven figures. The standard runs 12 numbered Requirements. Requirements 1 through 8 cover network and application security, 9 covers physical security, and 10 through 12 cover monitoring, testing, and policy. For commercial security integrators, Requirement 9 is the heart of the engagement.

Requirement 9: physical access controls

The eight sub-requirements at a working level:

9.1: Use appropriate facility entry controls. Limit and monitor physical access, cameras at sensitive areas, footage retained at least 3 months.
9.2: Distinguish onsite personnel from visitors. Visible badges, color-coded passes, registration process.
9.3: Control physical access to sensitive areas. Card readers, biometric, or equivalent at server rooms, IDFs, POS server zones, with audit trail.
9.4: Visitor management. Authorize before entry, issue a badge, escort where applicable, log entry/exit, expire badges.
9.5: Physically secure all media. Backup tapes, paper receipts, portable drives.
9.6: Strict control over media distribution. Chain of custody for any media leaving the facility.
9.7: Strict control over storage of media. Locked, access-controlled, inventoried.
9.8: Destroy media when no longer needed. Cross-cut shredding for paper, certified wiping or physical destruction for electronic.

Footage retention: minimum 3 months continuous, with longer retention on incident-tagged clips. Storage typically lives on a VMS physically segregated from the production CDE network, so a CDE breach can't tamper with the audit-trail footage.

PCI DSS 4.0 implications

Effective March 2024, mandatory for assessments after March 31, 2025. Relevant changes:

MFA at the CDE. Stronger MFA expectations for any access to cardholder data, including physical access at some assessor interpretations. Tightens single-factor badge-only at sensitive doors.
Targeted risk analysis. Organizations must perform and document a TRA for many controls, including some physical-security ones. Customized implementation is allowed, but the equivalence to the defined approach must be documented.
Enhanced logging and monitoring. Access events, video, and visitor logs all need retention and review processes.
Continuous monitoring vs annual snapshot. 4.0 pushes toward ongoing posture validation rather than once-a-year audit prep.

Penalties

Three penalty patterns:

Card-brand fines. $5K to $100K per month of non-compliance, levied by the acquiring bank and passed to the merchant.
Per-incident fines. $50 to $500 per cardholder record exposed in a breach, depending on the brand and the negligence findings.
Loss of processing privileges. The acquiring bank can suspend the merchant's ability to take card payments. Operationally fatal for any retailer.

Major retail breaches (Target 2013, Home Depot 2014) settled in the $100M to $200M range, plus operational damage. The physical-security cost of compliance is small compared to the breach exposure.

When to ask Tec-Tel about PCI DSS

Multi-site retail, hospitality, and processor sites need PCI DSS-aware camera and access designs. We scope the cardholder data environment, document the placement decisions for the auditor, and validate retention.

Frequent buyer questions

Who has to comply with PCI DSS?

Any organization that stores, processes, or transmits cardholder data. That includes retailers (point-of-sale systems), e-commerce sites, payment processors, hospitality (hotel front desks, restaurants), parking operators, and most multi-site service businesses. Compliance scope ranges from Self-Assessment Questionnaire (SAQ) for small merchants to Report on Compliance (ROC) by a Qualified Security Assessor for Level 1 merchants (over 6 million transactions per year).

What does Requirement 9 actually require?

Eight sub-requirements cover physical security. Highlights: (9.1) Limit physical access to facilities and the cardholder data environment (CDE). (9.2) Identify visitors and authorize before entry. (9.3) Restrict physical access to sensitive areas like data centers. (9.4) Implement procedures to identify and authorize visitors. (9.5) Physically secure all media. (9.6) Maintain strict control over internal/external distribution of media. (9.7) Maintain strict control over storage and accessibility. (9.8) Destroy media when no longer needed.

How long does PCI DSS require video retention?

PCI DSS Requirement 9.1.1 requires video to be retained for at least three months unless otherwise restricted by law. The standard practice at retailers and processors is 90 days continuous retention with extended retention on incident-tagged clips. PCI ROC auditors verify retention by sampling: ask for footage from 75 to 90 days ago at the cardholder data environment, expect to see usable video.

What's new in PCI DSS 4.0?

Several relevant changes effective for assessments after March 31, 2025. (1) Explicit MFA expectations for access to the cardholder data environment, including physical access at some interpretations. (2) Customized implementations allowed for some requirements (vs the strict 'defined' requirements in 3.2.1). (3) Stronger requirements around payment page integrity (anti-skimmer). (4) Enhanced logging and monitoring requirements. (5) Authenticated scanning. The 4.0 standard pushes organizations toward continuous monitoring rather than annual snapshot compliance.

Where do cameras typically deploy at PCI DSS-scope sites?

Five zones. (1) Entry to the cardholder data environment (POS room, server cage, processor data center). (2) IDF and telecom closets that touch the CDE network. (3) Backroom safes and cash counting rooms. (4) Loading dock at retail (stolen-equipment risk). (5) ATM rooms at FI branches. Cameras pair with badge readers; badge events bookmark the video. PCI auditors review the camera plan and expect documented placement justification.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

PCI DSS

The short definition

Requirement 9: physical access controls

PCI DSS 4.0 implications

Penalties

When to ask Tec-Tel about PCI DSS

Frequent buyer questions

SOC 2

MFA

PACS

Industries

Start with a free consultation.

How can we help?