visibly distinguishes the visitors from onsite
personnel.
9.4.3 Visitors are asked to surrender the
badge or identification before leaving the
facility or at the date of expiration.
You are responsible for
maintaining appropriate
policies and processes.
9.4.4 A visitor log is used to maintain a
physical audit trail of visitor activity to the
facility as well as computer rooms and data
centers where cardholder data is stored or
transmitted. Document the visitor’s name,
the firm represented, and the onsite
personnel authorizing physical access on the
log. Retain this log for a minimum of three
months,
You are responsible for
maintaining appropriate
policies and processes.
9.5 Physically secure all media.
9.5.1 Store media backups in a secure
location, preferably an off-site facility, such
as an alternate or backup site, or a
commercial storage facility. Review the
location’s security at least annually.
It is your responsibility to
ensure the security of your
physical environment.
9.6 Maintain strict control over the internal
or external distribution of any kind of media,
including the following:
9.6.1 Classify media so the sensitivity of the
data can be determined.
You are responsible for
maintaining appropriate
policies and processes.
9.6.2 Send the media by secured courier or
other delivery method that can be accurately
tracked.
You are responsible for
maintaining appropriate
policies and processes.
9.6.3 Ensure management approves any and
all media that is moved from a secured area
(including when media is distributed to
individuals).
You are responsible for
maintaining appropriate
policies and processes.
9.7 Maintain strict control over the storage
and accessibility of media.
9.7.1 Properly maintain inventory logs of all
media and conduct media inventories at least
annually.
You are responsible for
maintaining appropriate
policies and processes.
9.8 Destroy media when it is no longer
needed for business or legal reasons as
follows:
PCI Instruction Guide
© Toast 2018
Page 33 of 44
To Next Page
Loading...
