PCI Requirement 9.6 – Maintain Strict Control Over the Internal or External Distribution of Any Kind of Media

by Randy Bartels / December 20, 2022

 Distribution of Media If your organization does not have policies and procedures in place to control the distribution of media, cardholder data could be lost, stolen, or used for fraudulent or malicious behavior. PCI Requirement 9.6 requires, “Maintain strict control over the internal or external distribution of any kind of media.” These controls could should cover: Classifying media based on sensitivity and is easily discernible. Sending media through a…

PCI Requirement 9.5.1 – Store Media Backups in a Secure Location and Review the Location’s Security Annually

by Randy Bartels / December 20, 2022

 Storing Media Backups Part of physically securing media that houses cardholder data is storing media backups in a secure location. If not, media backups that contain cardholder data can easily be lost, stolen, or copied for malicious intent. This is why PCI Requirement 9.5.1 requires, “Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review…

PCI Requirement 9.5 – Physically Secure all Media

by Randy Bartels / December 20, 2022

 The Physical Security of Media At your organization, are receipts ever left on someone's desk? Are reports left in the printer and forgotten about? Are computers constantly logged in? If your organization has paper or electronic media containing cardholder data, you must protect and physically secure all media. PCI Requirement 9.5 is intended to prevent unauthorized individuals from accessing cardholder data through media. PCI Requirement 9.5 states, “Physically secure…

PCI Requirement 9.4.4 – A Visitor Log is Used to Maintain a Physical Audit Trail of Visitor Activity to the Facility, Computer Rooms, and Rooms Where CHD is Stored

by Randy Bartels / December 20, 2022

Maintain a Visitor Log In order to record which visitors have entered your sensitive areas, PCI Requirement 9.4.4 requires, “A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.” This visitor log must document three elements: The visitor’s name The firm represented The onsite personnel authorizing physical access…

PCI Requirement 9.4.3 – Visitors are Asked to Surrender the Badge or Identification Before Leaving the Facility or at the Date of Expiration

by Randy Bartels / December 20, 2022

 Visitors Must Surrender Their Badge Upon Their Departure To comply with PCI Requirement 9.4, there’s an important step outline in PCI Requirement 9.4.3, related to identification mechanisms. It states, “Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.” Even though a visitor badge has an expiration date and/or time on it, you must ensure that you ask visitors to…