GRCWatch
Sign inStart free trial

PCI DSS 9.4.2: Classify All Cardholder Data Media by Sensitivity

Cardholder data exists across multiple physical and digital media types—and attackers know exactly where to look. PCI DSS 9.4.2 requires you to classify every piece of media containing cardholder data based on its sensitivity level. Without proper classification, you risk losing track of critical assets and failing audits.

What this means

Control 9.4.2 mandates that your organization establish and maintain a classification system for all media containing cardholder data. This means categorizing storage devices, documents, backups, and other media according to how sensitive the data they hold is. Classification drives downstream controls like handling, storage, destruction, and access policies. Media containing full Primary Account Numbers (PANs) requires stricter controls than media with masked or encrypted data. This foundational control ensures sensitive assets receive appropriate protection proportional to their risk level.

How to comply

  1. 1.Inventory all physical and digital media that stores, processes, or transmits cardholder data
  2. 2.Define classification levels (e.g., Confidential, Restricted, Internal) tied to data sensitivity and compliance requirements
  3. 3.Assign each media type to the appropriate classification based on the cardholder data it contains
  4. 4.Document your classification scheme in your data protection or information security policies
  5. 5.Apply classification labels or tags to physical media and implement metadata tagging for digital storage
  6. 6.Train personnel on the classification system and its implications for handling each media type
  7. 7.Review and update classifications annually or when new media types are introduced

Evidence auditors look for

  • Written data classification policy defining sensitivity levels and criteria for cardholder data media
  • Inventory spreadsheet or database listing all media types with assigned classification levels
  • Physical media labeled with classification markings (e.g., 'Confidential - PCI Data')
  • Digital asset management system or tags showing classification for storage devices and backups
  • Documentation linking classification levels to specific handling, access, and destruction procedures
  • Employee acknowledgment records confirming training on the classification scheme
  • Audit logs showing regular review and updates to media classifications

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates media inventory discovery and classification tagging, so you can track all cardholder data storage locations and ensure each receives the right protection level—without manual spreadsheets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.4.1 - Implement physical and logical controls to restrict access to mediaPCI DSS 9.4.3 - Define and implement media handling procedures based on classificationPCI DSS 9.7 - Control media movement and destructionPCI DSS 3.4 - Restrict access to cardholder data to those with legitimate business need