PCI Requirement 9.7 – Maintain Strict Control Over the Storage and Accessibility of Media

by Randy Bartels / December 20, 2022

 Storage and Accessibility of Media What if your organization lost cardholder data, but didn’t even know it? Without inventory methods for media and data storage requirements, stolen or missing media could go unnoticed for a long time or maybe not noticed at all. This is why PCI Requirement 9.7 requires, “Maintain strict control over the storage and accessibility of media.” If you do not feel confident about knowing where…

PCI Requirement 9.6.3 – Ensure Management Approves All Media Moved from a Secured Area

by Randy Bartels / December 20, 2022

 Obtaining Management Approval Like many other PCI DSS requirements, PCI Requirement 9.6.3 involves a management approval. When it comes to the distribution of media, management needs to be aware what media is being sent, where it’s going, and what’s protecting it. PCI Requirement 9.6.3 requires, “Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).” Management approval is…

PCI Requirement 9.6.2 – Send the Media by Secured Courier

by Randy Bartels / February 7, 2023

 Tracking Transferred Media If your organization transfers media to an off-site location, PCI Requirement 9.6.2 requires that you send the media by a secured courier and through a delivery method that can be accurately tracked. If you use the regular, non-trackable postal service, how do you keep track of your media? How do you know sensitive data hasn’t been lost or stolen? With the amount of secured courier options…

PCI Requirement 9.6.1 – Classify Media so the Sensitivity of the Data Can Be Determined

by Randy Bartels / December 20, 2022

 Classifying Media Your organization needs to have policies and procedures in place for classifying media. PCI Requirement 9.6.1 states, “Classify media so that sensitivity of the data can be determined.” It’s important to note that the intent behind PCI Requirement 9.6.1 is not to label every sensitive piece of media as “Confidential.” Doing that defeats the purposes of this requirement; it draws attention to which media is valuable. The…

PCI Requirement 9.6 – Maintain Strict Control Over the Internal or External Distribution of Any Kind of Media

by Randy Bartels / December 20, 2022

 Distribution of Media If your organization does not have policies and procedures in place to control the distribution of media, cardholder data could be lost, stolen, or used for fraudulent or malicious behavior. PCI Requirement 9.6 requires, “Maintain strict control over the internal or external distribution of any kind of media.” These controls could should cover: Classifying media based on sensitivity and is easily discernible. Sending media through a…