Physical access must be restricted to which items?

Physical access controls aim to limit who can physically touch equipment that could affect the security of cardholder data. In PCI DSS, restricting access applies to devices that can access, process, store, or transmit cardholder data and the infrastructure that supports them. This includes wireless access points, gateways, handheld devices, networking and communications hardware, and telecommunication lines—the kinds of assets that, if compromised, could provide a path into the Cardholder Data Environment. Therefore, this broader set is the best-fit because it covers all the critical components whose security matters for protecting card data. The other options are narrower or lax: restricting only laptops used by contractors omits many other sensitive devices; allowing free access to all devices inside the facility ignores necessary protections; and restricting only servers in a locked cage misses other equipment that could affect security.