What does PCI require for monitoring access to sensitive areas under 9.1.1?

• A. Video cameras and/or access control mechanisms must be used to monitor individual physical access to sensitive areas, and data stored for at least three months.
• B. Video monitoring is optional and retention is not specified.
• C. Monitoring is required only in non-sensitive areas.
• D. Video monitoring is prohibited in public areas.

Answer: (A)

PCI DSS requires ongoing monitoring of who can enter areas where cardholder data is processed or stored, and it also requires keeping the monitoring records for a defined period. The correct approach is to use video cameras and/or access-control systems to track individual physical access to those sensitive areas, with the resulting monitoring data retained for at least three months. This combination ensures both the ability to verify who accessed restricted spaces and sufficient time to review incidents or anomalies.

The other options don’t fit because they weaken or ignore these requirements: monitoring is not optional, it must cover sensitive areas (not just non-sensitive ones), and there isn’t a prohibition on video monitoring in public areas—rather, monitoring and retention are what PCI DSS calls for.