9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
This requirement focuses on ensuring that media containing cardholder data is securely stored, accessed, distributed, and destroyed, preventing unauthorized access, copying, or destruction of sensitive information.
Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone's desk.
Sub-requirements:
- 9.4.1.1 Offline media backups with cardholder data are stored in a secure location.
- 9.4.1 All media with cardholder data is physically secured.
- 9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.
- 9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
- 9.4.2 All media with cardholder data is classified in accordance with the sensitivity of the data.
- 9.4.3 Media with cardholder data sent outside the facility is secured as follows:
- 9.4.4 Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).
- 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.
- 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
- 9.4.7 Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following:
9.4. Media containing cardholder data is securely managed, stored, and destroyed.
Ensure that all media containing cardholder data is protected from unauthorized access, tracked, and securely destroyed when no longer needed.
Key Risks
Frequently Asked Questions
What types of media are covered?
Any physical media containing cardholder data, including paper, backup tapes, USB drives, and hard disks.
How should media be stored?
In locked, access-controlled locations with access limited to authorized personnel.
How is media movement tracked?
Through check-in/check-out logs, chain of custody records, and inventory systems.
How should media be destroyed?
By shredding, degaussing, or other methods that render data unrecoverable.
How often should media inventories be conducted?
At least annually, or more frequently as defined by policy.
Common QSA Questions
Can you show your media inventory and destruction logs?
Yes, we maintain detailed records of all media inventories and destruction activities.
How is media containing cardholder data transported?
Only by authorized personnel or secure couriers, with tracking and management approval.
How do you ensure proper media destruction?
We use certified destruction methods and retain certificates of destruction.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy