Requirement 9 - Restrict Physical Access to Cardholder Data

Requirement 9 mandates that organizations restrict physical access to any location where cardholder data is stored, processed, or transmitted. It requires documented controls for entry, visitor management, secure storage and disposal of media, and the use of surveillance or other monitoring to ensure that only authorized personnel can reach sensitive data.