9.4.2 All media with cardholder data is classified in accordance with the sensitivity of the data.
Defined Approach Requirements
9.4.2 All media with cardholder data is classified in accordance with the sensitivity of the data.
Defined Approach Testing Procedures
9.4.2.a Examine documentation to verify that procedures are defined for classifying media with cardholder data in accordance with the sensitivity of the data.
9.4.2.b Examine media logs or other documentation to verify that all media is classified in accordance with the sensitivity of the data.
Customized Approach Objective
Media are classified and protected appropriately.
Purpose
Media not identified as confidential may not be adequately protected or may be lost or stolen.
Good Practice
It is important that media be identified such that its classification status is apparent. This does not mean however that the media needs to have a "confidential" label.
purpose
Properly classify and label media containing cardholder data.
compliance strategies
- Labeling standards
- Periodic audits
typical policies
- Media Classification Policy
common pitfalls
- Unlabeled media
- Incorrect classification
type
Process Control
difficulty
Low
key risks
- Improper handling due to misclassification
recommendations
- Automated labeling systems
Eligible SAQ
- SAQ-A
- SAQ-A-EP
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy