Physical Security - Media Policy
On-site locations where PCI data is stored must provide access controls and protection which will reduce the risk of loss or damage to an acceptable level.
Physically secure all media.
Maintain strict control over the internal or external distribution of any kind of media, by doing the following:
Maintain strict control over the storage and accessibility of media
Destroy media when it is no longer needed for business or legal reasons as follows:
Movement of hardware or any items within the PCI Inventory between the University’s locations is to be strictly controlled by authorized personnel.
LU employees who handle PCI data; any media containing PCI data
This policy should serve as a reminder to treat any PCI data in any location with the highest level of security reasonably possible. Many times, when the topic of the protection of data (in this case, PCI data) arises, the focus is generally on the access to the actual site where the data is stored or the level of access employees have within programs. It would be remiss to omit the actual storage areas in the direct control of employees who handle data every day. Items such as small pieces of paper, reports, and removable electronics media are often overlooked. The same level of security must be given to these seemingly insignificant items. Misplacing or wrong handling of any of these items when they contain PCI data could lead to adverse results and thus need to be protected.
Media - For the purpose of this policy, media can be defined as including, but not limited to, computers, removable electronic media, paper receipts, paper reports and faxes.
IS010108 Data Classification
IS020107 Physical Security - Data Facilities
IS030502 Data Storage
IS030600 Backup Policy
IS030802 External Sharing
IS030805 PCI Data Retention and Disposal
IS050604 PCI Inventory
ISO/IEC 27002:2013 (More information available upon request)
11.01.02 Physical entry controls
11.01.03 Security offices, rooms, and facilities
Requirement 9: Restrict physical access to cardholder data
 . ISO 11.01.02, 11.01.03 (ISO Policy 090201)
 . PCI DSS 9.5
 . PCI DSS 9.5.1
 . PCI DSS 9.6
 . PCI DSS 9.6.1
 . PCI DSS 9.6.2
 . PCI DSS 9.6.3
 . PCI DSS 9.7
 . PCI DSS 9.7.1
 . PCI DSS 9.8
 . PCI DSS 9.8.1
 . PCI DSS 9.8.2
 . ISO 8.02.03, 11.02.05 (ISO Policy 050405)