Offline Media Backup Location Review

“Offline media backup location review” is a straightforward requirement with a common failure mode: teams treat it as a policy attestation instead of an inspection and test of the place where offline backups live. PCI DSS 4.0.1 Requirement 9.4.1.2 is short, but assessors will expect you to show the full chain of control: what you consider offline media, where it is stored, how the location is protected, who can access it, and how you periodically validate those protections are still effective. (PCI DSS v4.0.1 Requirement 9.4.1.2)

This requirement applies whether backups are on tapes in a cage, removable drives in a safe, or offline encrypted disks stored with a third party. The annual review is the moment you confirm the location’s security still matches your documented expectations and that changes over the year (facilities moves, access control system changes, staffing changes, storage vendor changes) didn’t quietly introduce risk.

Done well, this becomes a repeatable, auditable routine that reduces both compromise risk (backup theft/tampering) and recovery risk (missing, damaged, or inaccessible backups). Done poorly, it becomes a scramble during a PCI assessment because nobody can prove that the location was actually reviewed.

Regulatory text

Requirement: “The security of the offline media backup location(s) is reviewed at least once every 12 months.” (PCI DSS v4.0.1 Requirement 9.4.1.2)

What the operator must do: At least annually, perform and document a security review of each offline backup storage location. The review must evaluate whether physical, environmental, and procedural controls for that location are functioning as intended, and you must track findings through remediation so you can show the control works in practice. (PCI DSS v4.0.1 Requirement 9.4.1.2)

Plain-English interpretation (what this means in practice)

You have offline backups because they protect you from ransomware, accidental deletion, and certain system failures. PCI DSS is asking one simple question: Is the place where you store those offline backups still secure? (PCI DSS v4.0.1 Requirement 9.4.1.2)

“Review” should be read as a control check that includes:

• Verifying the location’s physical protections (restricted entry, locks, monitoring where applicable).
• Confirming access is limited to approved personnel and that access paths are controlled.
• Checking operational procedures: logging, media handling, transport, chain-of-custody, and secure destruction where relevant.
• Documenting gaps and driving them to closure.

Who it applies to

Entities: Merchants, service providers, payment processors in scope for PCI DSS. (PCI DSS v4.0.1 Requirement 9.4.1.2)

Operational context (where teams trip up):

• Multiple sites: HQ plus branch offices storing removable drives in local safes.
• Co-location or data center cages: Offline media stored in shared facilities with facility-managed controls.
• Third-party storage: A third party holds tapes or disks offsite. You still own the requirement; you may rely on third-party evidence, but you must review it and close gaps.
• “Offline” but not “offsite”: A safe inside your own office still counts as a location that needs review.

What you actually need to do (step-by-step)

1) Define “offline media” for your environment

Write a short scoping statement that names what you treat as offline backup media. Examples include: backup tapes, removable HDD/SSD, offline NAS that is physically disconnected, encrypted removable media stored for disaster recovery.

Output: “Offline Media Definition & Scope” paragraph in your backup/physical security standard.

2) Build and maintain an inventory of offline backup locations

Create a location register that is specific enough for an assessor to test. Include:

• Location name and address (or facility identifier), room/cage/safe identifier
• Media types stored there
• Owner (role) and custodian (role)
• Third party involved (if any)
• Access control method (badge, key, combination, dual control)
• Logging method (entry logs, badge reports, sign-in sheets)
• Environmental protections relevant to your risk (fire/water protections if applicable to your program)

Operator tip: Don’t bury this in a CMDB that doesn’t track safes, cages, or offsite vaults. A simple register works if it is owned and kept current.

3) Set the annual review procedure (what “reviewed” means)

Turn the requirement into a repeatable checklist with pass/fail criteria. Your checklist should cover, at minimum:

A. Physical access controls

• Entry restrictions to the storage area (doors, cages, safes)
• Key/badge control and who administers it
• Evidence of access review (who currently can access)

B. Monitoring and logging

• How entries are logged (automated badge report or manual log)
• Whether logs are retained and can be produced
• How exceptions are handled (lost key, forced entry, tailgating reports)

C. Media handling controls

• Chain-of-custody for media movement
• Secure transport requirements (sealed containers, authorized couriers if used)
• Labeling rules (avoid sensitive labels that advertise contents)
• Storage rules (locked cabinet/safe, segregation if needed)

D. Environmental and integrity checks

• Signs of damage, tampering, or deterioration
• Appropriate storage conditions per your internal standards (document what you expect and verify against it)

E. Third-party dependencies

• If a third party stores media: obtain their evidence (site/security attestation, SOC report excerpt if available to you, or their security summary and access controls) and document your review of it.

4) Execute the review (not just a desk audit)

Perform the review using a combination of:

• Walkthrough/inspection (on-site when you control the facility; otherwise, documented third-party evidence plus your own review notes)
• Interviews with the custodian and facilities/security contacts
• Evidence sampling such as an access list pull, a recent access log extract, and a spot-check that media is actually stored as stated

Practical approach: Treat this like a mini-audit of a single physical control domain. You are trying to answer: “Could an unauthorized person obtain, alter, or destroy backups without detection?”

5) Document findings and remediation

For each gap, record:

• Finding statement (what failed and where)
• Risk statement (why it matters in operational terms)
• Owner and due date (internal)
• Corrective action and completion evidence
• Closure sign-off and date

6) Management review and retention

Have an accountable leader (often IT Security, Infrastructure, or BCM/DR owner) approve the results and confirm remediation tracking.

7) Make it continuous (so the annual review is easy)

Changes that should trigger an out-of-cycle check:

• Office move, data center move, cage changes
• Access control system migration
• Custodian role changes or staffing turnover
• Third-party storage vendor changes
• Repeated access anomalies or incident learnings

Required evidence and artifacts to retain

Assessors want traceability. Keep a tidy evidence packet per location:

Core artifacts

• Offline backup location register (current as of review date)
• Annual review checklist/workpaper completed and signed
• Photos or floorplan excerpts if your policy allows (redact sensitive details)
• Access list for the location (authorized personnel) as of the review date
• Access log extract or logbook sample demonstrating logging
• Chain-of-custody templates and at least a small sample of completed records (if you move media)
• Findings/remediation tracker entries plus closure evidence

Third-party storage artifacts (if applicable)

• Third party’s provided security evidence (whatever you can contractually obtain)
• Your documented evaluation and any follow-up questions/remediation requests
• Contract/SOW clause excerpt that requires security controls and evidence delivery (keep it simple and relevant)

Common exam/audit questions and hangups

Expect these questions from a PCI assessor or internal audit:

1. “Show me all offline media backup locations.”
   If your inventory is incomplete, you fail before the control test starts.

2. “What did you do during the review?”
   A policy statement that says “we review annually” is not the review.

3. “Who can access the location today, and how do you know?”
   They will want an access list and evidence it is managed.

4. “Prove the review occurred within the required period.”
   Have a dated report, ticket, or signed checklist.

5. “What changed since last year, and how did you account for it?”
   A review that ignores facility changes looks performative.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails in assessment	Fix
Treating the requirement as a once-a-year policy acknowledgement	No control testing, no evidence of actual security review	Use a checklist with objective tests and retain artifacts
Incomplete location inventory	Undermines assurance; assessor can’t trust scope	Maintain a single register owned by a named role
Ignoring third-party storage	You still must review location security	Contract for evidence, review it, document follow-ups
No remediation trail	Review exists but doesn’t reduce risk	Track findings to closure with proof and sign-off
Review done by someone who owns the area with no independent check	Perceived conflict of interest	Add a second reviewer from security, GRC, or internal audit

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog for this specific requirement. Practically, the risk is direct: offline backups often contain sensitive data and can enable restoration. If an attacker steals or tampers with offline media, you can face both confidentiality exposure and impaired recovery. The annual location review is the control that proves you are not relying on assumptions about physical security that drift over time. (PCI DSS v4.0.1 Requirement 9.4.1.2)

Practical 30/60/90-day execution plan

Use this if you need to operationalize quickly without waiting for a full program redesign.

First 30 days (stand up the control)

• Name an owner for offline media locations and a reviewer role (Security/GRC).
• Draft the offline media definition and scoping statement.
• Build the offline media backup location register (start with what you know, then validate with Infrastructure, DR, and Facilities).
• Create a one-page review checklist and an evidence folder structure per location.

Days 31–60 (perform reviews and fix obvious gaps)

• Execute the review for each known location using the checklist.
• Collect access lists/log samples and chain-of-custody records where relevant.
• Open remediation items for gaps that are unambiguous (broken locks, missing logs, unclear ownership, outdated access list).
• If a third party is involved, request their evidence and set a due date; document your follow-ups.

Days 61–90 (make it durable for the next cycle)

• Close or materially progress remediation items; document closure evidence.
• Add a change trigger: require Infrastructure/Facilities to notify the control owner when a location, safe, cage, or access system changes.
• Set an annual recurrence in your GRC calendar with assigned owners and pre-defined evidence requirements.
• If you use Daydream for compliance operations, map the requirement to a recurring task, attach the location register template, and centralize evidence so the next PCI assessment is retrieval, not archaeology.

Frequently Asked Questions

What counts as an “offline media backup location” for PCI DSS?

Any place where offline backup media is stored, such as a safe, locked cabinet, cage, or third-party vault. If the backups are stored on media that is not continuously accessible from production systems, treat the storage place as in scope for the annual review. (PCI DSS v4.0.1 Requirement 9.4.1.2)

Does the annual review have to be an on-site physical inspection?

PCI DSS requires the location’s security to be reviewed annually, but it does not prescribe the method. If you cannot inspect (for example, third-party storage), obtain credible evidence from the third party and document your evaluation and any follow-ups. (PCI DSS v4.0.1 Requirement 9.4.1.2)

If we have multiple safes in different offices, can we review them together?

You can run one review campaign, but each location needs its own documented results and evidence. Assessors will test at the location level, not just the program level. (PCI DSS v4.0.1 Requirement 9.4.1.2)

What evidence is most persuasive to a PCI assessor?

A dated, completed checklist tied to a location register, plus access authorization lists and access log samples for the same period. Add remediation tickets with closure evidence to show the review drove action. (PCI DSS v4.0.1 Requirement 9.4.1.2)

How do we handle offline backups stored with a third party that won’t share much detail?

Start with contract language that requires security evidence delivery and define minimum acceptable artifacts. If evidence remains limited, document the limitation, your risk decision, and compensating steps (for example, stronger encryption and stricter chain-of-custody on transport) within what you can control. (PCI DSS v4.0.1 Requirement 9.4.1.2)

Our backups are encrypted. Do we still need to review the storage location?

Yes. Encryption reduces confidentiality risk, but it does not eliminate risks like theft, destruction, tampering, or loss that can block recovery. The requirement is about the security of the location itself. (PCI DSS v4.0.1 Requirement 9.4.1.2)