Does media containing cardholder data (for example, backup tapes or disks) need to be physically labeled as confidential for PCI DSS Requirement 9.6.1?
The objective of PCI DSS Requirement 9.6.1 “Classify media so the sensitivity of the data can be determined,” is to ensure that media is controlled and protected against inadvertent or unintentional exposure. There is no requirement to physically label media. Instead, companies must have processes to classify and identify all media containing cardholder data that is sensitive or confidential and ensure appropriate protection is applied to that media. Companies can then rely on their processes for classifying and protecting that media, in essence treating it as confidential without the specific requirement to provide a physical label.
(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)
Article Number: 1129