PCI DSS 9.4.1.2: Annual Backup Security Review Requirements
PCI DSS 9.4.1.2 requires organizations to review the security of offline media backups containing cardholder data at least once every 12 months. This critical control prevents unauthorized access to sensitive payment card data stored on physical media. Failing this review leaves your organization exposed to breach risks and audit failures.
What this means
Your organization must conduct a formal security review of all offline media backups—including tapes, external drives, and other physical storage—that contain cardholder data at minimum annually. This review must evaluate whether backups are properly encrypted, stored in secure locations, protected from physical tampering, and managed according to your data retention policies. The review should identify gaps in backup security controls and document remediation actions.
How to comply
- 1.Inventory all offline media backups containing cardholder data across your organization
- 2.Document the current security measures protecting each backup (encryption, storage location, access controls)
- 3.Schedule an annual security review meeting with relevant teams (IT, security, compliance)
- 4.Assess encryption strength, physical security, storage environment conditions, and access restrictions
- 5.Evaluate backup retention policies and ensure outdated backups are securely destroyed
- 6.Document review findings, including any security gaps or control weaknesses identified
- 7.Create remediation plans for any identified deficiencies with assigned owners and timelines
- 8.Maintain evidence of the annual review (meeting notes, assessment reports, sign-off documentation)
Evidence auditors look for
- Annual backup security assessment report with date and reviewer signatures
- Inventory list of offline media backups with security control details
- Encryption validation documentation for backup media
- Physical security inspection photographs or facility access logs
- Backup storage location audit confirming secure, climate-controlled environment
- Data retention schedule showing backup lifecycle and destruction dates
- Remediation tickets or action items addressing identified security gaps
- Compliance sign-off document confirming annual review completion
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates backup security review scheduling, maintains a centralized inventory of all offline media containing cardholder data, and generates annual assessment reports with evidence documentation—eliminating manual tracking and ensuring you never miss your 12-month review deadline.
See how GRCWatch handles this control automatically
Start free trial