9.4.3 Media with cardholder data sent outside the facility is secured as follows:
Defined Approach Requirements
9.4.3 Media with cardholder data sent outside the facility is secured as follows:
- Media sent outside the facility is logged.
- Media is sent by secured courier or other delivery method that can be accurately tracked.
- Offsite tracking logs include details about media location.
Defined Approach Testing Procedures
9.4.3.a Examine documentation to verify that procedures are defined for securing media sent outside the facility in accordance with all elements specified in this requirement.
9.4.3.b Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.
9.4.3.c Examine offsite tracking logs for all media to verify tracking details are documented.
Customized Approach Objective
Media is secured and tracked when transported outside the facility.
Purpose
Media may be lost or stolen if sent via a non-trackable method such as regular postal mail. The use of secure couriers to deliver any media that contains cardholder data allows organizations to use their tracking systems to maintain inventory and location of shipments.
purpose
Send media by secured courier or other delivery method that can be accurately tracked.
compliance strategies
- Use bonded couriers
- Tracking numbers for shipments
typical policies
- Media Transport Policy
common pitfalls
- Untracked shipments
- Use of regular mail
type
Process Control
difficulty
Moderate
key risks
- Loss or theft in transit
recommendations
- Require signature upon delivery
Eligible SAQ
- SAQ-A
- SAQ-A-EP
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy