Obtaining Management Approval
Like many other PCI DSS requirements, PCI Requirement 9.6.3 involves a management approval. When it comes to the distribution of media, management needs to be aware what media is being sent, where it’s going, and what’s protecting it. PCI Requirement 9.6.3 requires, “Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).”
Management approval is a ripple effect. The PCI DSS explains, “Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.”
An assessor will likely take a sample of recent off-site tracking logs to verify that management approval was given before media was transferred.
Any time media is sent off site, management needs to be aware of where it’s going. When we look at this particular requirement, it says that assessors should interview the administration staff to make sure they have approved the media being sent off site. From an audit perspective, we’re not looking to see that management has approved every piece of material that’s ever gone off-site individually. What we’re looking for is that management is aware of where the media is being sent, how it’s being sent, and that it’s being managed as part of a vendor management program that’s found in PCI Requirement 12.8.