I am wondering if in discussions, one can overstate or understate the threat from keyloggers or the ability for keyloggerrs to get onto systems. I find frequently that some people tend to dismiss or underrate the threat that keyloggers present to a system used for card data entry. For a simple environment where workstations are used to enter data in a secure web form on a 3rd party hosted site/portal, keyloggers seem to be the primary threat and making sure that they dont get on those machines would seem the big thing to pay attention to.

Key loggers are a threat. There are some mitigating controls in the PCI DSS for addressing this threat.

For software-based keyloggers, this is why the PCI DSS mandates critical file monitoring and anti-virus. Between both of these controls it should be pretty tough to surreptitiously install a software-based keylogger.

For hardware-based keyloggers, the PCI DSS requires in-scope systems to be physically secured so the installation of a keylogger is difficult and would likely be recording on video.

That said, there is still a threat for keyloggers ending up on systems that are not in-scope that are used as a way to get to the in-scope systems. For this, the PCI DSS requirement for network monitoring and network segmentation can minimize this threat, but it only works if alerts are properly addressed and researched.

Key loggers are a threat. There are some mitigating controls in the PCI DSS for addressing this threat.

For hardware-based keyloggers, the PCI DSS requires in-scope systems to be physically secured so the installation of a keylogger is difficult and would likely be recording on video.


Other than putting machines used for CHD entry in a separate, secure room that is monitored, what other ways can one meet the requirement to physically secure such machines?