GRCWatch
Sign inStart free trial

PCI DSS 9.2.4: Lock Consoles When Not in Use

Console access in sensitive areas represents a critical security gap if left unattended. PCI DSS 9.2.4 requires organizations to lock all consoles when not actively in use, preventing unauthorized individuals from accessing payment systems or cardholder data. This fundamental physical security control is often overlooked but essential for maintaining cardholder data environment (CDE) integrity.

What this means

This control mandates that all computer consoles and terminals located in sensitive areas—including server rooms, network operations centers, and administrative workstations—must be automatically locked or manually secured whenever an authorized user steps away. A locked console cannot be accessed without proper authentication credentials, effectively preventing shoulder surfing, unauthorized system commands, or data theft during unattended sessions.

How to comply

  1. 1.Enable automatic screen lock functionality on all consoles in sensitive areas with a maximum idle timeout of 15 minutes
  2. 2.Require password re-entry or multi-factor authentication to unlock consoles
  3. 3.Document which areas qualify as sensitive and require console locking
  4. 4.Implement manual locking procedures for staff who step away briefly (keyboard shortcuts, access badges, or physical locks)
  5. 5.Audit console lock configurations quarterly to ensure compliance across all systems
  6. 6.Train personnel on the importance of locking consoles and document completion

Evidence auditors look for

  • Screenshots of screen lock settings configured across workstations with 15-minute idle timeouts
  • Audit logs showing successful lock/unlock events with timestamps and user identifiers
  • Physical security policies documenting console locking requirements for sensitive areas
  • Training records demonstrating staff awareness of console locking procedures
  • CCTV footage showing locked screens when consoles are unattended
  • Group Policy Objects (GPO) or Mobile Device Management (MDM) configurations enforcing automatic locking

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically tracks console locking configurations across your infrastructure, flags non-compliant systems, and generates audit-ready evidence reports—eliminating manual spreadsheet tracking and reducing your assessment timeline.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.2.1 — Implement Physical Entry ControlsPCI DSS 9.2.2 — Maintain Physical Access LogPCI DSS 8.1.1 — Assign Unique User IDsPCI DSS 2.1 — Default Security Parameters