PCI DSS 9.3.1.1: Controlling Ongoing CDE Access for Personnel
Personnel access to your cardholder data environment (CDE) must be actively managed and restricted. PCI DSS 9.3.1.1 requires that organizations control physical and logical access to sensitive areas, ensuring only authorized staff can reach systems handling payment card data. Without proper access controls, your organization faces audit failures and data breach risk.
What this means
This control mandates that any personnel with ongoing access to your CDE—whether physical locations or logical systems—must have their access strictly controlled and monitored. 'Ongoing access' refers to employees, contractors, or third parties who regularly work within or near sensitive cardholder data environments. Controls include access lists, badge systems, credentials management, and continuous monitoring of who enters restricted areas and when. The goal is ensuring that only individuals with legitimate business need can reach systems, networks, and physical spaces where payment card data is processed, stored, or transmitted.
How to comply
- 1.Maintain an up-to-date list of all personnel with ongoing CDE access, including their roles and access justifications
- 2.Implement physical access controls such as keycards, biometric systems, or security badges for restricted areas
- 3.Use role-based access control (RBAC) to limit logical access to CDE systems based on job function
- 4.Require multi-factor authentication for sensitive CDE system access
- 5.Document all access grant and revocation events with timestamps and authorization
- 6.Conduct quarterly access reviews to verify that all active access is still necessary and appropriate
- 7.Immediately revoke access for terminated employees and contractors
- 8.Monitor and log all physical entries to CDE areas and all logical CDE system access attempts
- 9.Establish a formal access request and approval process with clear authorization workflows
Evidence auditors look for
- Access control list (ACL) showing names, roles, and justification for CDE access
- Physical access logs from badge systems or door entry records
- System access audit trails showing login attempts, successful authentications, and privilege changes
- Employee onboarding checklist documenting CDE access grants with approval signatures
- Quarterly access review reports with sign-offs confirming active access remains necessary
- Termination checklists proving access revocation within 24 hours of employee departure
- Role definitions tied to specific CDE systems and data elements
- Multi-factor authentication configuration documentation and testing results
- Video surveillance logs or physical security incident reports for restricted CDE areas
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access review workflows and tracks real-time access grants/revocations across your infrastructure, eliminating manual spreadsheets and ensuring you catch orphaned accounts before your auditor does.
See how GRCWatch handles this control automatically
Start free trial