GRCWatch
Sign inStart free trial

PCI DSS 9.3.1.1: Controlling Ongoing CDE Access for Personnel

Personnel access to your cardholder data environment (CDE) must be actively managed and restricted. PCI DSS 9.3.1.1 requires that organizations control physical and logical access to sensitive areas, ensuring only authorized staff can reach systems handling payment card data. Without proper access controls, your organization faces audit failures and data breach risk.

What this means

This control mandates that any personnel with ongoing access to your CDE—whether physical locations or logical systems—must have their access strictly controlled and monitored. 'Ongoing access' refers to employees, contractors, or third parties who regularly work within or near sensitive cardholder data environments. Controls include access lists, badge systems, credentials management, and continuous monitoring of who enters restricted areas and when. The goal is ensuring that only individuals with legitimate business need can reach systems, networks, and physical spaces where payment card data is processed, stored, or transmitted.

How to comply

  1. 1.Maintain an up-to-date list of all personnel with ongoing CDE access, including their roles and access justifications
  2. 2.Implement physical access controls such as keycards, biometric systems, or security badges for restricted areas
  3. 3.Use role-based access control (RBAC) to limit logical access to CDE systems based on job function
  4. 4.Require multi-factor authentication for sensitive CDE system access
  5. 5.Document all access grant and revocation events with timestamps and authorization
  6. 6.Conduct quarterly access reviews to verify that all active access is still necessary and appropriate
  7. 7.Immediately revoke access for terminated employees and contractors
  8. 8.Monitor and log all physical entries to CDE areas and all logical CDE system access attempts
  9. 9.Establish a formal access request and approval process with clear authorization workflows

Evidence auditors look for

  • Access control list (ACL) showing names, roles, and justification for CDE access
  • Physical access logs from badge systems or door entry records
  • System access audit trails showing login attempts, successful authentications, and privilege changes
  • Employee onboarding checklist documenting CDE access grants with approval signatures
  • Quarterly access review reports with sign-offs confirming active access remains necessary
  • Termination checklists proving access revocation within 24 hours of employee departure
  • Role definitions tied to specific CDE systems and data elements
  • Multi-factor authentication configuration documentation and testing results
  • Video surveillance logs or physical security incident reports for restricted CDE areas

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates access review workflows and tracks real-time access grants/revocations across your infrastructure, eliminating manual spreadsheets and ensuring you catch orphaned accounts before your auditor does.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1 - Limit Access to CDE by Business NeedPCI DSS 7.2 - Restrict Access by RolePCI DSS 8.1 - Assign Unique ID to Each UserPCI DSS 8.2 - Ensure Proper AuthenticationPCI DSS 9.1 - Implement Physical Access Entry PointsPCI DSS 10.2 - Implement User Access Logging