Storage and Accessibility of Media
What if your organization lost cardholder data, but didn’t even know it? Without inventory methods for media and data storage requirements, stolen or missing media could go unnoticed for a long time or maybe not noticed at all. This is why PCI Requirement 9.7 requires, “Maintain strict control over the storage and accessibility of media.” If you do not feel confident about knowing where your data is stored and who has accessed it, how do you plan to protect it?
One of the most common inventory methods to control the storage and accessibility of media is logs. Data storage requirements help control who has access to your media and cardholder data. Documenting the inventory of your media at least annually helps your organization comply with PCI Requirement 9.7, and it helps an assessor verify that your logs match up with your data storage requirements, policies, and procedures.
You need to maintain strict control over the individuals or organizations that might have access to any of this physical media that might contain sensitive information. PCI Requirement 9.7 has numerous controls that speak to that; go ahead and watch the next set of videos that walk through the sub-requirement of PCI Requirement 9.7 and the merits around what you need to do in order to maintain compliance with those requirements.