On-site locations where PCI data is stored must provide access controls and protection which will reduce the risk of loss or damage to an acceptable level.
Physically secure all media.
- Store media backups in a secure location, preferably an off-site facility, such as an alternative or backup site, or a commercial storage facility. Review the location’s security at least annually.
Maintain strict control over the internal or external distribution of any kind of media, by doing the following:
- Classify media so the sensitivity of the data can be determined
- Send the media by secured courier or other delivery method that can be accurately tracked
- Ensure management approves of any and all media that is moved from a secured area (including when media is distributed to individuals)
Maintain strict control over the storage and accessibility of media
- Properly maintain inventory logs of all media and conduct media inventories at least annually
Destroy media when it is no longer needed for business or legal reasons as follows:
- Shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed
- Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed
Movement of hardware or any items within the PCI Inventory between the University’s locations is to be strictly controlled by authorized personnel.
LU employees who handle PCI data; any media containing PCI data
This policy should serve as a reminder to treat any PCI data in any location with the highest level of security reasonably possible. Many times, when the topic of the protection of data (in this case, PCI data) arises, the focus is generally on the access to the actual site where the data is stored or the level of access employees have within programs. It would be remiss to omit the actual storage areas in the direct control of employees who handle data every day. Items such as small pieces of paper, reports, and removable electronics media are often overlooked. The same level of security must be given to these seemingly insignificant items. Misplacing or wrong handling of any of these items when they contain PCI data could lead to adverse results and thus need to be protected.
Media - For the purpose of this policy, media can be defined as including, but not limited to, computers, removable electronic media, paper receipts, paper reports and faxes.
IS010108 Data Classification
IS020107 Physical Security - Data Facilities
IS030502 Data Storage
IS030600 Backup Policy
IS030802 External Sharing
IS030805 PCI Data Retention and Disposal
IS050604 PCI Inventory
11.01.02 Physical entry controls
11.01.03 Security offices, rooms, and facilities
PCI DSS 3.2: More information here
Requirement 9: Restrict physical access to cardholder data