Overview
In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, UIT PCI Compliance Services has established a formal policy and supporting procedures concerning storage, distribution, and classification. This policy is to be implemented immediately. It will be evaluated on an annual basis for ensuring its adequacy and relevancy regarding UIT-PCI Compliance Services’ needs and goals.
Policy
UIT-PCI Compliance Services will ensure that the Media Storage, Distribution and Classification Policy adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (PCI DSS Requirements and Security Assessment Procedures):
- Controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes) are to be in place for protecting cardholder data.
- Media backups are to be stored in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
- All media is to be appropriately classified so the sensitivity of the data can be determined.
- All media is to be sent by secured courier or other delivery method, so that it can be accurately tracked..
- Management is to approve any and all media that is moved from a secured area (including when media is distributed to individuals).
- Strict control is to be maintained over the storage and accessibility of media. ∙ Inventory logs of all media are to be maintained, with media inventory procedures undertaken at least annually.
Responsibility for Policy Maintenance
UIT’s PCI Compliance service is responsible for ensuring that the aforementioned policy is kept current as needed for purposes of compliance with the Payment Card Industry Data Security Standards (PCI DSS) initiatives.
