GRCWatch
Sign inStart free trial

PCI DSS 9.2.2: Restrict Access to Public Network Jacks

Public network jacks pose a significant security risk—unauthorized users can easily plug in devices and access your cardholder data environment. PCI DSS 9.2.2 requires you to implement physical and logical controls that prevent this threat. Learn how to secure every network jack in your facility.

What this means

This control requires organizations to prevent unauthorized access to network infrastructure by restricting the use of publicly accessible network jacks—such as those in lobbies, hallways, or waiting areas. You must implement both physical controls (disabling unused jacks, locking enclosures) and logical controls (network segmentation, port authentication) to ensure only authorized personnel and devices can connect to your cardholder data environment.

How to comply

  1. 1.Identify all publicly accessible network jacks throughout your facility (lobbies, conference rooms, break rooms, hallways)
  2. 2.Disable unused network ports at switches and patch panels to prevent accidental or malicious connections
  3. 3.Install physical controls such as locked network enclosures, jack covers, or protective plates on active jacks in public areas
  4. 4.Implement logical controls including 802.1X port-based network access control (NAC) to authenticate devices before connection
  5. 5.Configure network segmentation to isolate public-facing jacks from the cardholder data environment
  6. 6.Document all network jack locations and their access restrictions in your network diagram
  7. 7.Conduct quarterly audits to verify physical controls remain intact and logical controls are functioning
  8. 8.Train employees on the policy prohibiting unauthorized device connections to network infrastructure

Evidence auditors look for

  • Network device inventory listing all switch ports with disabled status and physical security measures
  • Photos of locked network enclosures, disabled jack covers, or tamper-evident seals on public network locations
  • Network access control (NAC) logs showing 802.1X authentication requirements and device registration policies
  • Network segmentation diagrams showing VLANs isolating public network access from sensitive systems
  • Port security configuration files showing MAC address limits and authentication settings
  • Physical security logs or sign-in sheets for access to network closets and equipment areas
  • Security awareness training records confirming employee education on network jack restrictions
  • Audit reports from vulnerability scans confirming no unauthorized network access points

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates quarterly network jack audits by collecting evidence from your network devices and physical security logs, eliminating manual compliance tracking for this control.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.3 (Network Segmentation)PCI DSS 7.1 (Access Control Lists)PCI DSS 11.2 (Vulnerability Scanning)PCI DSS 12.6 (Security Awareness Training)