Hi all,

Just wondering what, if at all, you're all doing to implement PCI req 9.6 (essentially, keeping clean desks, etc). What are you procedures for 'auditing' desks? Do you only look for CHD on papers/disks? Or do you look for other things as well (personal information, SSNs, passwords, etc)? Do you have a team of people, and if so, how many? And how often do you check people's desks?


Just trying to get any ideas. They're trying to come up with a 'strategy' here of how to do it.

If done by internal personnel, most of our clients conduct such reviews as part of their internal audit program of departments that have access to personally identifiable information (PII) which not only includes cardholder information, but also social security numbers, drivers license numbers, etc.

We also review PII out in the open through after hours reviews of desks. However, because of legal concerns, we only look at documents and information that is out in the open such as on the desktop, in the trash, on a bookshelf, etc. We do not open desk drawers, go through open desk drawers, file cabinets, etc.

Improve cleanliness of the company:
When desks are clean and all areas of the company are free from paper and clutter, the office looks clean and efficient. People feel more comfortable in a well organized environment and guests will have a good impression of the company.

Improve protection of confidentiality & private data:
A lot of information in our company is confidential and needs to be protected from unauthorized access by internal or external parties. The application of a clean desk policy reduces this risk compared to an environment without such a policy and all kind of staff on the tables.

Hi all,

Just wondering what, if at all, you're all doing to implement PCI req 9.6 (essentially, keeping clean desks, etc). What are you procedures for 'auditing' desks? Do you only look for CHD on papers/disks? Or do you look for other things as well (personal information, SSNs, passwords, etc)? Do you have a team of people, and if so, how many? And how often do you check people's desks?


Just trying to get any ideas. They're trying to come up with a 'strategy' here of how to do it.

Point of correction - Requirement 9.6 states that the assessor is to "Verify that procedures for protecting cardholder data include controls for physically securing paper and electronic media (including computers, removable electronic media, networking, and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes".

There is no stated requirement for the assessor (QSA) to verify the procedures are, in fact, working, i.e. your reference to "auditing desks" or any other wild goose hunt to clock up extra expenses for the merchant.

I have had this pointed conversation with overzealous QSA's in the past. We provide a copy of our formally approved "Procedures for Protecting Cardholder Data" for the QSA's review and comment.

The same practice applies for the SAQ approach - namely, authentication /verification of an approved procedure.