What is required to monitor entry and exit to sensitive areas and what is the data retention requirement?

• A. Photo IDs must be printed for each entry, stored indefinitely.
• B. Video cameras and/or access control mechanisms exist to monitor entry/exit; data stored for at least three months.
• C. There is no requirement to monitor entry/exit beyond door locks.
• D. Only manual security guards are required; video is optional.

Answer: (B)

Monitoring entry to sensitive areas requires using video surveillance or access control systems to track who enters and exits. This creates an auditable trail that supports security investigations and enforces protection of cardholder data by ensuring only authorized personnel can access sensitive zones. In addition, the data produced by these controls—whether video footage or access logs—must be retained for at least three months, providing a window to review incidents or anomalies. The other options don’t fit because they either rely on door locks alone, omit surveillance, or propose retention that isn’t aligned with the required minimum.