Your organization needs to have policies and procedures in place for classifying media. PCI Requirement 9.6.1 states, “Classify media so that sensitivity of the data can be determined.” It’s important to note that the intent behind PCI Requirement 9.6.1 is not to label every sensitive piece of media as “Confidential.” Doing that defeats the purposes of this requirement; it draws attention to which media is valuable. The PCI DSS explains, “The intent is that the organization has identified media that contains sensitive data so it can protect it.” If sensitive data goes unprotected, it has the potential to be lost or stolen.
An assessor will want to test your personnel to verify that they can determine the classification of a random piece of media. If not, then you’re not meeting PCI Requirement 9.6.1.
You need to have a data classification policy. This data classification policy defines how you handle data and who would get access to it. Specific to this requirement, it says that you classify your media so that the classification can be determined. From an assessment perspective, I would walk around your facility and talk to your back-up administrator, your tape administrator, and I would pick up a piece of media and ask them how that piece of media is classified. I would expect that the person I’m interviewing would have the ability to respond with whatever your policies and procedures state.
Understand that you have to have a classification policy and you need to classify the media so that the classification can be determined. In years past, people were required to write “Confidential” on that media. What the PCI Security Standards Council has come to realize is that kind of defeats the purpose. This is like saying, “Hey, this is where my money is, this is where my sensitive information is, come get this data.” Right now, the requirement is that you just classify the media so that the classification can be determined.