Physical Security of Media

“Physical security of media” sounds narrow until you map it to real operations: file rooms, printers, mailrooms, on-site backups, laptops, break/fix shipments, and third-party storage. PCI DSS 4.0.1 Requirement 9.4.1 is short, but assessments are not. Auditors will test whether you can prove that any media containing cardholder data stays under physical control, in approved locations, and in containers that block casual access and opportunistic theft. (PCI DSS v4.0.1 Requirement 9.4.1)

For a Compliance Officer, CCO, or GRC lead, the fastest path is to translate the requirement into a small set of enforceable operational rules: what counts as media, who may handle it, where it may live, how it’s locked, how it moves, and what records you retain. You will also need to align Facilities, IT, Security Operations, and any third party that stores or transports CHD media with the same handling expectations. This page is written to help you implement quickly: a scoping method, minimum viable controls, exam-ready evidence, and an execution plan you can hand to operators.

Regulatory text

Excerpt: “All media with cardholder data is physically secured.” (PCI DSS v4.0.1 Requirement 9.4.1)

Operator interpretation (what an assessor expects you to be able to show)

• All media: Any form factor that can store or display CHD, including paper records, removable electronic media, backup media, and end-user devices that may hold CHD.
• With cardholder data: If CHD is present (even temporarily), the item is in scope until it is securely destroyed or sanitized per your process.
• Physically secured: Media is stored and handled so unauthorized individuals cannot access it. In practice, that means locked storage, controlled distribution, restricted areas, and procedures that prevent “unattended exposure” (printer output, open boxes, unlocked cabinets, unsecured shipments). (PCI DSS v4.0.1 Requirement 9.4.1)

Plain-English requirement

If something contains cardholder data, it must be kept in a physically controlled place, under controlled handling, so the wrong person can’t see it or take it. That applies whether the media is sitting in a cabinet, being carried to another site, stored offsite by a third party, or waiting for destruction. (PCI DSS v4.0.1 Requirement 9.4.1)

Who it applies to

Applies to any organization in PCI scope that stores, processes, or transmits cardholder data and has media that contains CHD:

• Merchants: retail, e-commerce operations with chargeback files, paper receipts, customer service notes, or exported reports.
• Service providers and payment processors: data centers, NOCs, customer support, fraud/chargeback operations, print-and-mail functions.
• Operational contexts you must cover:
  • Corporate offices (file rooms, shipping/receiving, mailroom)
  • Call centers and customer support (paper notes, printed reports)
  • IT operations (backup tapes/drives, break/fix returns, decommissioned hardware)
  • Remote work and travel (laptops, print-at-home risk, portable drives)
  • Third parties (offsite storage, shredding, courier services)

What you actually need to do (step-by-step)

1) Build a media inventory tied to CHD flows

Create a list of every media type and location where CHD can exist. Don’t debate “likelihood” yet; focus on completeness.

• Paper: receipts, mailed forms, dispute packets, printed settlement reports
• Removable: USB drives, external hard drives, backup tapes
• Devices: laptops, desktops used for exporting CHD, POS components that store CHD, multifunction printers with local storage
• “Transient” media: printer trays, fax machines, scan-to-email staging, shared inbox printing

Deliverable: a media inventory/register with owner, location, purpose, and lifecycle state(s).

2) Define “secure states” across the media lifecycle

For each media category, define required controls for:

• Storage (where it sits)
• Access/Use (who can retrieve and view it)
• Transport (how it moves between rooms/sites/third parties)
• End-of-life (how it is destroyed or sanitized)

Keep the definitions simple enough to enforce: “Locked cabinet in access-controlled room” is enforceable; “stored securely” is not. This step is how you turn the one-line requirement into auditable practice. (PCI DSS v4.0.1 Requirement 9.4.1)

3) Implement physical safeguards by media class

Use a control set that matches your risk and operations:

Paper with CHD

• Store in locked cabinets/rooms; restrict keys/badges to authorized roles.
• Add clean-desk and secure-print expectations where printing occurs.
• Prevent unattended output: require immediate pickup and locked disposal bins.

Removable/backups

• Store in locked safes/cabinets with access limited to a small operational group.
• Use check-in/check-out tracking for removal from storage.
• If moved offsite, require sealed containers and documented chain-of-custody.

Devices that may hold CHD

• Physically secure devices in controlled areas (locked office, restricted room).
• For laptops, require secure storage when unattended (locked drawer/cabinet) and an approved transport practice (kept under personal control; never left visible in vehicles).
• For printers/MFPs, control access to the device area and manage any internal storage as in-scope media.

4) Control access with named authorization and logging

Define who is allowed to handle CHD media, by role. Then make it real:

• Access list for rooms/cabinets/safes
• Key/badge issuance records tied to HR status (joiner/mover/leaver)
• Visitor controls for areas where media is stored or handled

Assessors commonly test whether access lists are current and whether departures are removed promptly.

5) Operationalize transport and third-party handoffs

Media handling breaks during handoffs. Add explicit rules:

• Approved couriers or third parties only.
• Packaging standards (sealed, tamper-evident if available in your operations).
• Chain-of-custody record from release to receipt.
• For offsite storage or shredding, require written procedures and evidence returned (e.g., destruction confirmation) aligned to your internal handling rules. (PCI DSS v4.0.1 Requirement 9.4.1)

6) Train the people who touch media, not the whole company

Targeted training beats broad awareness. Train:

• Mailroom/shipping and receiving
• IT operations and field services
• Customer support teams that print or compile CHD packets
• Facilities/security staff who manage access control

Training should include “what counts as CHD media,” where it may be stored, and what to do if found unsecured.

7) Run periodic spot checks and fix drift

Build a lightweight assurance routine:

• Walkthroughs of storage areas
• Printer output checks
• Random sampling of chain-of-custody records
• Verification that access lists match current staff

Document findings and corrective actions. Drift is what auditors find.

Required evidence and artifacts to retain

Keep artifacts that prove both design and operation:

Governance and procedure

• Media handling and physical security procedure covering storage, transport, and disposal (PCI DSS v4.0.1 Requirement 9.4.1)
• Media inventory/register with owners and locations
• Role-based authorization matrix for media handling

Physical and access controls

• List of secure storage locations (cabinets/safes/rooms) and responsible owners
• Access control lists (badge groups, key logs) for those locations
• Visitor logs for restricted areas where CHD media is present

Operational records

• Check-in/check-out logs for removable media and backups
• Chain-of-custody forms for transfers to offsite storage, shredding, or other third parties
• Incident records for lost media/unsecured media discoveries and remediation steps

Assurance

• Spot check/audit results and corrective action tracking
• Training completion records for in-scope roles

Common exam/audit questions and hangups

Expect questions like:

• “Show me your inventory of media containing CHD and where it is stored.” If you can’t produce a list, the assessor will expand sampling.
• “Who can access this cabinet/room, and how do you know access is current?” Stale access lists are a frequent finding.
• “How do you prevent printed CHD from sitting on a printer?” If you don’t have a defined process, your answer will be judged against observed behavior.
• “Walk me through a transfer to offsite storage/shredding.” They will ask for evidence of release and receipt/destruction. (PCI DSS v4.0.1 Requirement 9.4.1)

Frequent implementation mistakes (and how to avoid them)

1. Treating “media” as only backup tapes. Fix: include paper, printer output, devices, and decommissioned hardware in the inventory.
2. Relying on policy language without physical reality. Fix: map each media type to a specific storage control (locked container + controlled access) and test it onsite.
3. No chain-of-custody for handoffs. Fix: require a simple form/log and enforce it for every offsite movement.
4. Unclear ownership. Fix: assign an owner per storage location and per media class; owners maintain access lists and records.
5. Assuming a third party “handles it.” Fix: require evidence from the third party (receipts, destruction confirmation) and keep it with your records. (PCI DSS v4.0.1 Requirement 9.4.1)

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog, so this page does not cite specific actions. Practically, failures in physical security of CHD media create direct breach pathways: theft of paper records, lost shipments, unauthorized access to backups, and inadvertent exposure through unattended printing. The risk is amplified because physical incidents often bypass logical controls and can be hard to detect after the fact.

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

• Appoint owners for CHD media categories (paper, removable/backups, devices, third-party handoffs).
• Build the initial media inventory and identify all storage locations.
• Identify “highest exposure” points: printers, shared file rooms, mailroom/shipping, IT storage closets.
• Implement immediate fixes: lock cabinets, restrict keys/badges, stop ad hoc storage. (PCI DSS v4.0.1 Requirement 9.4.1)

By 60 days (standardize and evidence)

• Publish a media physical security procedure with lifecycle rules (store/move/use/dispose).
• Implement logging where media leaves controlled storage (check-out and chain-of-custody).
• Train the teams that handle media and document completion.
• Start spot checks and record findings plus remediation actions.

By 90 days (prove operating effectiveness)

• Expand spot checks to cover each site and each media class in scope.
• Reconcile access lists against HR rosters; remove access that no longer matches job role.
• Validate third-party handoff evidence is complete and retrievable.
• Prepare an assessor-ready evidence pack: procedure, inventory, access lists, logs, and recent spot check results. (PCI DSS v4.0.1 Requirement 9.4.1)

Where Daydream fits

If you manage PCI scope across multiple sites and third parties, Daydream can serve as the system of record for your media inventory, control owners, and evidence collection workflows, so you can produce assessor-ready artifacts without chasing spreadsheets and email threads.

Frequently Asked Questions

Does “media” include paper receipts and printed reports?

Yes, if the paper contains cardholder data, it is in scope and must be physically secured. Treat file rooms, cabinets, and printer output areas as part of your control boundary. (PCI DSS v4.0.1 Requirement 9.4.1)

Are laptops or desktops considered “media” under this requirement?

If a device stores cardholder data (even through exports, cached files, or local reports), it effectively becomes CHD media and must be physically secured. Handle it with controlled storage when unattended and restricted access to the spaces where it is used. (PCI DSS v4.0.1 Requirement 9.4.1)

What’s the minimum evidence an auditor will accept?

Expect to show a media inventory, documented procedures for physical security, access restrictions for storage areas, and operational records (check-out/chain-of-custody) that demonstrate the process is followed. (PCI DSS v4.0.1 Requirement 9.4.1)

We use a third party for offsite storage or shredding. Are we still responsible?

You remain responsible for meeting the requirement for media containing CHD, even if a third party performs storage or destruction. Require chain-of-custody and destruction/receipt evidence and retain it with your compliance records. (PCI DSS v4.0.1 Requirement 9.4.1)

How do we handle “temporary” CHD printouts used for investigations or chargebacks?

Treat them as in-scope media from creation to destruction. Limit who can print, require immediate pickup, store them in locked cabinets when not in use, and record destruction according to your process. (PCI DSS v4.0.1 Requirement 9.4.1)

What if we can’t fully eliminate ad hoc printing in customer support?

Don’t rely on intent. Define approved printers/areas, require secure storage for any retained pages, and implement spot checks plus remediation when staff leave CHD unattended. (PCI DSS v4.0.1 Requirement 9.4.1)