9.4.4 Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Defined Approach Testing Procedures

9.4.4.a Examine documentation to verify that procedures are defined to ensure that media moved outside the facility is approved by management.

9.4.4.b Examine offsite media tracking logs and interview responsible personnel to verify that proper management authorization is obtained for all media moved outside the facility (including media distributed to individuals).

Customized Approach Objective

Media cannot leave a facility without the approval of accountable personnel.

Applicability Notes

Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have "manager" as part of their title.

Purpose

Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.

purpose

Management approval is obtained prior to moving media containing cardholder data outside controlled areas.

compliance strategies

Formal approval process
Movement logs

typical policies

Media Movement Policy

common pitfalls

No approval records
Media moved without authorization

type

Process Control

difficulty

Low

key risks

Unauthorized removal of sensitive media

recommendations

Electronic approval workflows

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-B
SAQ-B-IP
SAQ-C
SAQ-C-VT
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER