The Physical Security of Media
At your organization, are receipts ever left on someone’s desk? Are reports left in the printer and forgotten about? Are computers constantly logged in? If your organization has paper or electronic media containing cardholder data, you must protect and physically secure all media. PCI Requirement 9.5 is intended to prevent unauthorized individuals from accessing cardholder data through media.
PCI Requirement 9.5 states, “Physically secure all media.” In relation to PCI Requirement 9, media is all paper and electronic media containing cardholder data. This media could be paper receipts, faxes, removable electronic media, paper reports, and more. The PCI DSS explains, “Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.” Complying with PCI Requirement 9.5.1 helps maintain the physical security and integrity of cardholder data.
PCI Requirements 9.5 and 9.5.1 require that you physically secure all media that may contain cardholder data. These particular requirements are not just subject to tapes; they’re also subject to any print media that you might have. If you have print receipts or the ticker tapes that contain the batch-out or end-of-day batch processing, or if you physically have written cardholder data down on a piece of paper and you’re storing those on an invoice somewhere, this requirement would apply.
PCI Requirement 9.5. and 9.5.1 require that you have a process for maintaining the security and integrity of all of this data that you might be retaining from a physical security perspective.