PCI DSS 9.2.3: Restrict Physical Access to Wireless Access Points
Wireless infrastructure is a prime target for physical tampering and unauthorized access. PCI DSS 9.2.3 requires you to limit physical access to wireless access points, gateways, networking hardware, and telecommunication lines—a foundational step in preventing data breaches at the network perimeter.
What this means
This control mandates that your organization implement physical access restrictions around all wireless networking equipment. This includes wireless access points (WAPs), wireless gateways, routers, switches, and telecommunications infrastructure. The goal is to prevent unauthorized individuals from physically tampering with, disconnecting, or reconfiguring devices that could expose cardholder data networks to attack.
How to comply
- 1.Identify all wireless access points, gateways, networking hardware, and telecommunication lines in your environment—both data center and office locations
- 2.Implement physical barriers such as locked server rooms, cages, or cabinets to restrict unauthorized access to wireless equipment
- 3.Deploy access controls including badge readers, locks, or video surveillance at entry points to wireless infrastructure areas
- 4.Maintain an inventory of all wireless networking devices with their physical locations documented
- 5.Establish and enforce a policy requiring authorization before anyone accesses restricted networking areas
- 6.Log and review all physical access attempts to wireless infrastructure on a regular basis
- 7.Conduct quarterly or semi-annual reviews of physical access controls to ensure they remain effective
Evidence auditors look for
- Locked server room or cabinet containing wireless access points with access logs
- Badge access control records showing who entered wireless infrastructure areas and when
- Video surveillance footage of restricted networking equipment locations
- Network equipment inventory with documented physical locations
- Written physical access policy specific to wireless and networking hardware
- Access audit logs covering the past 6-12 months with sign-offs
- Photographs or documentation of physical barriers and locks in place
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates tracking of physical access controls for wireless infrastructure by integrating with your access management system, generating compliance-ready audit logs and automatically flagging unauthorized access attempts across all networking equipment.
See how GRCWatch handles this control automatically
Start free trial