PCI DSS 9.2.4: Lock Consoles When Not in Use
Console access in sensitive areas represents a critical security gap if left unattended. PCI DSS 9.2.4 requires organizations to lock all consoles when not actively in use, preventing unauthorized individuals from accessing payment systems or cardholder data. This fundamental physical security control is often overlooked but essential for maintaining cardholder data environment (CDE) integrity.
What this means
This control mandates that all computer consoles and terminals located in sensitive areas—including server rooms, network operations centers, and administrative workstations—must be automatically locked or manually secured whenever an authorized user steps away. A locked console cannot be accessed without proper authentication credentials, effectively preventing shoulder surfing, unauthorized system commands, or data theft during unattended sessions.
How to comply
- 1.Enable automatic screen lock functionality on all consoles in sensitive areas with a maximum idle timeout of 15 minutes
- 2.Require password re-entry or multi-factor authentication to unlock consoles
- 3.Document which areas qualify as sensitive and require console locking
- 4.Implement manual locking procedures for staff who step away briefly (keyboard shortcuts, access badges, or physical locks)
- 5.Audit console lock configurations quarterly to ensure compliance across all systems
- 6.Train personnel on the importance of locking consoles and document completion
Evidence auditors look for
- Screenshots of screen lock settings configured across workstations with 15-minute idle timeouts
- Audit logs showing successful lock/unlock events with timestamps and user identifiers
- Physical security policies documenting console locking requirements for sensitive areas
- Training records demonstrating staff awareness of console locking procedures
- CCTV footage showing locked screens when consoles are unattended
- Group Policy Objects (GPO) or Mobile Device Management (MDM) configurations enforcing automatic locking
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks console locking configurations across your infrastructure, flags non-compliant systems, and generates audit-ready evidence reports—eliminating manual spreadsheet tracking and reducing your assessment timeline.
See how GRCWatch handles this control automatically
Start free trial