9.4.1.1 Offline media backups with cardholder data are stored in a secure location.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Defined Approach Testing Procedures

9.4.1.1.a Examine documentation to verify that procedures are defined for physically securing offline media backups with cardholder data in a secure location.

9.4.1.1.b Examine logs or other documentation and interview responsible personnel at the storage location to verify that offline media backups are stored in a secure location.

Customized Approach Objective

Offline backups cannot be accessed by unauthorized personnel.

Purpose

If stored in a non-secured facility, backups containing cardholder data may easily be lost, stolen, or copied for malicious intent.

Good Practice

For secure storage of backup media, a good practice is to store media in an off-site facility, such as an alternate or backup site or commercial storage facility.

purpose

Restrict access to media to only authorized personnel.

compliance strategies

Access lists
Periodic access reviews

typical policies

Media Access Policy

common pitfalls

No access reviews
Overly broad access

type

Process/Physical Control

difficulty

Low

key risks

Unauthorized access to CHD media

recommendations

Use electronic access control for storage rooms

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-B
SAQ-B-IP
SAQ-C
SAQ-C-VT
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER