From the PCI DSS:
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hard copies, and should be appropriately restricted.
This requirement relates to restricting physical access to the computer room or data center, and destroying transportable media, which are a function of organizational security, not EFT Server.
|
PCI DSS Requirement |
How Requirement is Addressed with EFT Server | |
|
9.1 - 9.9 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data. |
External to EFT Server | |
|
9.10 - 9.10.1 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows |
Primarily deals with physical media, except for sub-requirement 9.10.2 | |
|
|
9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed |
EFT Server includes a data-wiping algorithm for sanitizing deleted data on disk. This option is an approved compensating control as documented in PCI DSS Security Audit Procedures v1.1. |