Learn how you can improve your business’s physical security to protect your data.  

By: Michael Maughan

physical securityWhat’s the first thing you think of when you hear the words data security? You may think of firewallsencryption, or even vulnerability scanning. But do you also think of locked doors, security badges, or sign-in sheets?


Many businesses don’t often realize how physical security can help protect their card data. But there are many ways for data thieves to gain access, and several don’t involve a computer. Strengthening your physical security will keep hackers and social engineers from gaining the needed information to access and steal card data.

SEE ALSO: Physical Security: What You Aren’t Thinking About

Here are 5 tips ensure physical security gives adequate protection to guard against card data loss.

1. Keep an inventory of devices

More businesses are using mobile devices in their transactions. While convenient, it also brings some security issues. Theft of devices such as laptops, servers, etc., are often causes of data breaches.

Make sure you have a documented inventory of your devices that either carry or can connect to card data. Your business should be aware of where these devices are, who has them, whether they can leave your business environment, etc. And as always, card data storage should be encrypted.

This inventory can help you keep track of all your devices. Should someone walk out with something, keeping an inventory can help you quickly identify the stolen device, when it happened, the extent of what data was stolen, and what further actions should be taken.

2. Limit access to areas with sensitive info or equipment

Banks don’t just let everybody walk around their vaults.

Your business should treat your data like it’s very valuable, because it is.
That means rooms that have card data should only be accessed by employees that need it.

Make sure to give your employees only the amount of access that they need and nothing more. For example, your marketing supervisor may not need access to card data. Most data resides in a data center so make sure you can trust your service providers before you hand them all of your data.

3. Put together and document security policies

You’ll need to come up with a set of policies for your employees to handle physical security. Doing this will guard against intentional or unintentional data theft. Some things to consider in your policies include:
  • When doors are locked
  • Who is assigned what access
  • Which devices are to remain on premise always
  • Who oversees implementing security
  • Who has physical access to CDE server hardware and network gear
  • Password change policy (don’t write passwords down)
  • Procedures for reporting lost/stolen access card or badge
  • Visitor access procedures
It’s important to document these policies and procedures since having them on paper will clarify any questions your employees may have and mitigate liability should a breach occur. You’ll also want to update these policies regularly.

SEE ALSO: The Cost of a PCI Security Policy: What You Need to Know

4. Train employees

physical security best practicesPolicies and procedures alone won’t do your business much good if your employees aren’t following
them. One of the biggest causes of many data breaches is due to human error. All it takes is one employee forgetting to lock a door or a data center cabinet, or letting an unauthorized person into a restricted area for card data to get stolen.

Make sure to train your employees consistently on physical security. Show examples of proper and improper application of policies and procedures. Help employees understand the risk and liabilities involved in poor adherence to company policy.

Doing training just once when they join you and annually likely won’t be enough. It’s recommended that employees are trained quarterly, if not monthly.

SEE ALSO: Employee Data Security Training: What You Should Do

5. Don’t forget the smaller things

It’s one thing to make sure your doors are locked at night and everything is secure after hours, but what about during the day? Contrary to popular belief, a lot of data thefts happen in the middle of working hours, particularly when social engineers are involved. Consider the access that janitors and delivery persons have. It would be very easy for a social engineer to gain access to data by pretending to be an employee.

Social engineers are often very skilled at slipping into unauthorized areas unnoticed, and this is often due to employees overlooking smaller security details. Regardless of how friendly and innocent someone may be, you should adhere to policy to ensure data protection.

It’s crucial to not leave out smaller security details.  Installing privacy monitors on computers, having blinds in rooms with sensitive data, and documenting who comes in and out of your organization can go a long way to protecting card data.

It just takes one breach to ruin a business, so don’t be that business.

Need help in securing your data? Talk with our consultants!

Michael Maughan is a Security Analyst at SecurityMetrics and has been in IT for 18 years. He has a Bachelor of Science in Applied Physics from BYU and is an avid college sports fan.