PCI Requirement 9.5.1 – Store Media Backups in a Secure Location and Review the Location’s Security Annually
Storing Media Backups
Part of physically securing media that houses cardholder data is storing media backups in a secure location. If not, media backups that contain cardholder data can easily be lost, stolen, or copied for malicious intent. This is why PCI Requirement 9.5.1 requires, “Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.”
To comply with PCI Requirement 9.5.1, you’re required to visit the location of media backups at least annually to ensure that data is still physically secure. What if you showed up to the location where you store your media backups and the front door was unlocked, no employees were present, and media was unmonitored? What if they had boxes of media sitting by a receptionist’s desk, open and available for anyone to view? These annual visits allow you to address security concerns like these in a timely manner, which minimizes risk.
If you as an organization are storing your media offsite, you’re required to go visit this facility at least annually and make sure that the data is still physically secure. If you’re using an organization like Iron Mountain or any other physical storage facility, you need to go visit and see where your cardholder data is stored and make sure that, perhaps, they’re not storing pallets of information out back or leaving doors open. It’s amazing to me, when I go visit these data centers as part of my assessments, to find that these types of things actually occur.