Sometime last summer, I thought I remembered seeing a clarification from the PCI SSC regarding the fact that as part of the PCI Security Assessment Procedures, assessors are required to physically visit all data centers that process, store or transmit cardholder data (CHD). However, now that I need that document, I cannot find it anywhere, not even on the PCI SSC FAQ. Was I dreaming this or does it in fact exist?

I know this is a requirement of the PCI DSS v1.2, but I could have sworn it was also a clarification and applied to v1.1.

Any help would be appreciated. Thanks.

Well it states in audit procedures for PCI DSS v1.1 under 9.1 that:
Verify the existence of physical controls for each computer room, data center, and other physical areas with systems that contain cardholder data.


So if it was that you where referring to it says "each data center"
But i havn't seen any more clarification from SSC regarding it.

For most outsourced data centers, you can obtain an AICPA compliant Statement on Auditing Standards (SAS) 70 or Service Auditors Report that will typically provide an opinion on the physical and environmental security controls at a data center. As employees of a CPA firm, we are very familiar with these reports and rely on their findings to support our PCI work as well as our financial audits.

However, most of these reports do not provide all the information that we need for the Report On Compliance. So, we hold conference calls with the outsouring company's personnel to fill in those areas not covered by the SAS 70 report. This allows us to save on having to visit a data center that may be clear across the country.

However, if we physically MUST visit a data center, that advantage goes away.