9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
Defined Approach Requirements
9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
Defined Approach Testing Procedures
9.4.1.2.a Examine documentation to verify that procedures are defined for reviewing the security of the offline media backup location(s) with cardholder data at least once every 12 months.
9.4.1.2.b Examine documented procedures, logs, or other documentation, and interview responsible personnel at the storage location(s) to verify that the storage location's security is reviewed at least once every 12 months.
Customized Approach Objective
The security controls protecting offline backups are verified periodically by inspection.
Purpose
Conducting regular reviews of the storage facility enables the organization to address identified security issues promptly, minimizing the potential risk. It is important for the entity to be aware of the security of the area where media is being stored.
purpose
Maintain strict control over the storage and accessibility of media.
compliance strategies
- Check-in/check-out logs
- Dual control for sensitive media
typical policies
- Media Control Procedures
common pitfalls
- No tracking of media movement
- Media not signed out/in
type
Process Control
difficulty
Moderate
key risks
- Untraceable media loss
recommendations
- RFID tracking for media
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy