PCI DSS 9.4.3: Securing Media with Cardholder Data Sent Outside Your Facility
PCI DSS 9.4.3 requires that any media containing cardholder data leaving your facility must be properly secured to prevent unauthorized access or loss. This control is critical for organizations that transport backup tapes, external hard drives, or other physical media containing payment card information. Failing to implement proper media security during transport puts your entire cardholder data environment at risk.
What this means
Control 9.4.3 mandates that all physical media containing cardholder data must be protected whenever it leaves your facility. This includes backup tapes, external drives, printed reports, or any other tangible storage medium. Protection measures must prevent unauthorized viewing, copying, or alteration of the data during transit to off-site storage, destruction vendors, or other locations. The requirement applies regardless of whether media is sent via courier, mail, or employee transport.
How to comply
- 1.Classify all media containing cardholder data and maintain an inventory of items leaving the facility
- 2.Encrypt sensitive data on all media before it leaves your facility, using strong encryption standards
- 3.Use tamper-evident containers or seals when shipping media off-site to detect unauthorized access
- 4.Implement chain-of-custody procedures documenting who transports media, when, and to where
- 5.Require secure delivery methods such as tracked courier services or hand-delivery by authorized personnel
- 6.Establish written agreements with third-party transporters requiring adherence to your media protection standards
- 7.Log all instances of media leaving the facility, including destination, contents, and responsible parties
- 8.Verify receipt of media at its destination and confirm it remains uncompromised upon arrival
- 9.Destroy media securely at off-site locations or use certified destruction vendors with documented destruction certificates
Evidence auditors look for
- Documented media classification policy specifying which data requires protection during transport
- Encryption certificates or configuration screenshots showing media encryption settings before off-site transport
- Chain-of-custody forms signed by sender and receiver with media description, date, and carrier information
- Courier service agreements or contracts specifying security requirements for shipment handling
- Tracking numbers and delivery confirmations from couriers showing media arrival at destination
- Tamper-evident seal logs documenting when seals are applied and verified
- Media destruction certificates from certified vendors confirming secure disposal of off-site media
- Access logs showing who shipped media, what was shipped, and approval authority
- Third-party vendor agreements with security clauses for handling cardholder data media
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks all media movements, encrypts sensitive data before transport, and generates chain-of-custody documentation to prove 9.4.3 compliance without manual record-keeping.
See how GRCWatch handles this control automatically
Start free trial