What is the primary focus of PCI DSS Requirement 9?

The main idea is protecting the physical access to cardholder data and the devices that store, process, or transmit it. PCI DSS Requirement 9 is about locking down who can physically enter data centers, server rooms, and areas where media like backups are kept, using controls such as restricted access, badge systems, access logs, and secure storage for media. This physical security layer prevents tampering or theft of CHD, which complements other requirements that cover encryption, logical access controls, and network monitoring. The other options reference protections that are addressed in different parts of PCI DSS: encryption at rest protects data itself, logical access controls govern who can use systems, and monitoring network traffic focuses on detecting suspicious activity.