Which requirement emphasizes the need to restrict physical access to cardholder data?

The emphasis on restricting physical access to cardholder data is found specifically within Requirement 9 of the PCI DSS. This requirement focuses on implementing physical security measures to protect cardholder data and limit access to only those individuals who have a legitimate reason to handle that data. It outlines the need for physical barriers, surveillance, and access control to ensure that sensitive information is safeguarded from unauthorized access and potential breaches.

This requirement is critical because physical security is a fundamental aspect of protecting cardholder data in environments like data centers, offices, and employee workstations, where sensitive information can be at risk if left unattended or improperly secured. By enforcing strict measures on who can physically access areas where cardholder data is stored, organizations can significantly reduce the chances of data theft and unauthorized access.

The other requirements, while important to overall security and compliance, focus on different aspects such as access control procedures, monitoring systems, and vulnerability management, rather than the specific physical security of cardholder data.