9.4.1 All media with cardholder data is physically secured.
Defined Approach Requirements
9.4.1 All media with cardholder data is physically secured.
Defined Approach Testing Procedures
9.4.1. Examine documentation to verify that the procedures defined for protecting cardholder data include controls for physically securing all media.
Customized Approach Objective
Media with cardholder data cannot be accessed by unauthorized personnel.
Purpose
Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone's desk.
Sub-requirements:
purpose
Physically secure all media containing cardholder data.
compliance strategies
- Locked storage
- Controlled access
typical policies
- Media Handling Policy
common pitfalls
- Media left unsecured
- Shared storage areas
type
Physical Control
difficulty
Moderate
key risks
- Theft or loss of sensitive media
recommendations
- Media safes with access logs
Eligible SAQ
- SAQ-A
- SAQ-A-EP
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy