PCI Requirement 9 Archives

Obtaining Management Approval

Like many other PCI DSS requirements, PCI Requirement 9.6.3 involves a management approval. When it comes to the distribution of media, management needs to be aware what media is being sent, where it’s going, and what’s protecting it. PCI Requirement 9.6.3 requires, “Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).”

Management approval is a ripple effect. The PCI DSS explains, “Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.”

An assessor will likely take a sample of recent off-site tracking logs to verify that management approval was given before media was transferred.

Any time media is sent off site, management needs to be aware of where it’s going. When we look at this particular requirement, it says that assessors should interview the administration staff to make sure they have approved the media being sent off site. From an audit perspective, we’re not looking to see that management has approved every piece of material that’s ever gone off-site individually. What we’re looking for is that management is aware of where the media is being sent, how it’s being sent, and that it’s being managed as part of a vendor management program that’s found in PCI Requirement 12.8.

Tracking Transferred Media

If your organization transfers media to an off-site location, PCI Requirement 9.6.2 requires that you send the media by a secured courier and through a delivery method that can be accurately tracked. If you use the regular, non-trackable postal service, how do you keep track of your media? How do you know sensitive data hasn’t been lost or stolen? With the amount of secured courier options available today, compliance with PCI Requirement 9.6.2 is an easy way to protect your media.

An assessor will examine records that document how, where, and why media was transferred off site. They might even perform sampling as another way to verify that your organization uses a secured courier and a delivery method that can be accurately tracked.

If you’re going to be transferring media to a third party or off-site location, PCI Requirement 9.6.2 requires that you use some type of secure method for transmitting that information. Really what we’re looking for is that the media can be tracked. If you’re going to be sending it via mail, there needs to be some sort of tracking associated with it. Just sending it in regular mail would not be sufficient. If you’re going to be sending through a secure courier, it must be trackable so that you know where it is at all times. A lot of the back-up organizations that might come pick up or drop off your media have software now that does the tracking for them. At the end of the day, from an assessment perspective, what we’re looking for is that any time you transmit media off-site, whether that be a tape or a box with information in it or anything that would be considered sensitive, it is sent by a secured courier and is trackable.

Classifying Media

Your organization needs to have policies and procedures in place for classifying media. PCI Requirement 9.6.1 states, “Classify media so that sensitivity of the data can be determined.” It’s important to note that the intent behind PCI Requirement 9.6.1 is not to label every sensitive piece of media as “Confidential.” Doing that defeats the purposes of this requirement; it draws attention to which media is valuable. The PCI DSS explains, “The intent is that the organization has identified media that contains sensitive data so it can protect it.” If sensitive data goes unprotected, it has the potential to be lost or stolen.

An assessor will want to test your personnel to verify that they can determine the classification of a random piece of media. If not, then you’re not meeting PCI Requirement 9.6.1.

You need to have a data classification policy. This data classification policy defines how you handle data and who would get access to it. Specific to this requirement, it says that you classify your media so that the classification can be determined. From an assessment perspective, I would walk around your facility and talk to your back-up administrator, your tape administrator, and I would pick up a piece of media and ask them how that piece of media is classified. I would expect that the person I’m interviewing would have the ability to respond with whatever your policies and procedures state.

Understand that you have to have a classification policy and you need to classify the media so that the classification can be determined. In years past, people were required to write “Confidential” on that media. What the PCI Security Standards Council has come to realize is that kind of defeats the purpose. This is like saying, “Hey, this is where my money is, this is where my sensitive information is, come get this data.” Right now, the requirement is that you just classify the media so that the classification can be determined.

Distribution of Media

If your organization does not have policies and procedures in place to control the distribution of media, cardholder data could be lost, stolen, or used for fraudulent or malicious behavior. PCI Requirement 9.6 requires, “Maintain strict control over the internal or external distribution of any kind of media.” These controls could should cover:

Classifying media based on sensitivity and is easily discernible.
Sending media through a secured, trackable delivery method only.
Management approval when media is distributed, even if it’s to an internal individual.

To assess compliance with PCI Requirement 9.6, an assessor needs to review your organization’s policies and procedures regarding the distribution of media.

PCI Requirement 9.6 requires that you have access controls in place to ensure that you’re controlling the distribution of media. This might include, from an assessment perspective, role-based access controls that define who physically gets access to it. We’re going to look for controls around how the media is distributed and who it is distributed to. PCI Requirement 9.6 has several subsequent requirements underneath it, so go ahead and watch our next few videos on those and let us know if you have any questions.

Storing Media Backups

Part of physically securing media that houses cardholder data is storing media backups in a secure location. If not, media backups that contain cardholder data can easily be lost, stolen, or copied for malicious intent. This is why PCI Requirement 9.5.1 requires, “Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.”

To comply with PCI Requirement 9.5.1, you’re required to visit the location of media backups at least annually to ensure that data is still physically secure. What if you showed up to the location where you store your media backups and the front door was unlocked, no employees were present, and media was unmonitored? What if they had boxes of media sitting by a receptionist’s desk, open and available for anyone to view? These annual visits allow you to address security concerns like these in a timely manner, which minimizes risk.

If you as an organization are storing your media offsite, you’re required to go visit this facility at least annually and make sure that the data is still physically secure. If you’re using an organization like Iron Mountain or any other physical storage facility, you need to go visit and see where your cardholder data is stored and make sure that, perhaps, they’re not storing pallets of information out back or leaving doors open. It’s amazing to me, when I go visit these data centers as part of my assessments, to find that these types of things actually occur.