PCI DSS 9.4.1: Physically Secure All Cardholder Data Media
PCI DSS 9.4.1 mandates that every physical medium containing cardholder data—from hard drives to printouts—must be protected against unauthorized access and theft. For SMBs handling payment card data, this control is foundational to preventing data breaches that start with physical theft. GRCWatch helps you track, document, and prove media security controls without manual spreadsheets.
What this means
This control requires your organization to implement physical safeguards for all media that stores, processes, or transmits cardholder data. This includes servers, hard drives, backup tapes, USB devices, printed reports, and any other physical storage. The goal is to prevent theft, loss, or unauthorized viewing of sensitive payment card information through non-technical means.
How to comply
- 1.Inventory all media containing cardholder data across your organization, including backups and archived materials
- 2.Store sensitive media in locked, access-controlled facilities such as safes, vaults, or secure server rooms
- 3.Restrict physical access to authorized personnel only, using badge readers, locks, or surveillance
- 4.Implement secure media handling procedures including logging, chain-of-custody tracking, and secure disposal
- 5.Establish a media destruction policy that permanently erases or physically destroys media before disposal
- 6.Monitor and audit physical access logs regularly to detect unauthorized entry attempts
- 7.Document all media storage locations, custodians, and security measures in your compliance records
Evidence auditors look for
- Physical inventory list of all cardholder data media with locations and access controls
- Photographs or video of locked storage facilities and server rooms with keypad/badge access
- Access logs showing authorized personnel entries to restricted areas
- Media handling and chain-of-custody documentation
- Secure disposal certificates from certified destruction vendors
- Backup tape vault procedures and inventory records
- Security incident reports showing any attempted unauthorized physical access
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates media inventory tracking, access log monitoring, and disposal documentation—so you can generate audit-ready evidence for 9.4.1 without tracking spreadsheets across multiple locations.
See how GRCWatch handles this control automatically
Start free trial