Data-in-transit protection and physical media handling
Primary statement
Data in transit is protected through: (1) confidentiality, integrity, and availability of data-in-transit (NIST PR.DS-02) — TLS 1.2+ minimum, TLS 1.3 preferred, with strong cipher suites; (2) backup data-in-transit protection (NIST PR.DS-11); (3) physical media containing cardholder data or sensitive data inventoried + protected + classified + securely destroyed (PCI 9.4.1 / 9.4.5 / 9.2); (4) incident data integrity and provenance preservation in transit (NIST RS.AN-07). The "transit" definition includes electronic AND physical movement.
Audit-fatigue payoff
A unified transit-protection programme — TLS posture + media handling + physical media inventory + chain-of-custody — satisfies data-in-transit requirements across all 9 contributing frameworks. The PCI DSS 9.4.x media inventory discipline extends usefully to non-PCI data.
Strictness matrix
Scope
Scope: confidentiality, integrity, AND availability of data-in-transit. Three properties (not just confidentiality). Includes electronic transmission AND physical media movement (PCI 9.2).
Ceiling source: nist_csf:PR.DS-02
Rationale: NIST CSF PR.DS-02 three-property scope is the audit-defensible specification. Extends to physical media per PCI 9.2.
Threshold
Threshold for physical media: inventory logs maintained, inventory conducted at least once every 12 months, discrepancies investigated. For electronic transit: TLS 1.2 minimum with strong cipher suites (TLS 1.3 preferred).
Ceiling source: pci_dss:PCI.9.4.5
Rationale: PCI DSS 9.4.5 annual inventory is the audit-defensible threshold for physical media. TLS 1.2 minimum is the consistent electronic threshold.
Method
Method: (1) TLS 1.2+ for all electronic transit (TLS 1.3 preferred) with strong cipher suites; (2) certificate management with rotation cadence; (3) backup data encrypted in transit (PR.DS-11); (4) physical media containing sensitive data inventoried, classified, secured, destroyed when no longer needed (PCI 9.2); (5) chain-of-custody for physical media movement; (6) integrity verification for incident data in transit (PR.AN-07); (7) periodic TLS posture review (Qualys SSL Labs or equivalent).
Ceiling source: nist_csf:PR.DS-02
Rationale: NIST CSF PR.DS-02 combined with PCI 9.x media handling is the most comprehensive method.
Frequency
Physical media inventory: at least once every 12 months. TLS posture review: continuous monitoring + quarterly deep-review. Certificate rotation: per CA lifecycle (typically 1-2 years; LetsEncrypt 90 days). Backup encryption-in-transit verification: per backup cycle.
Ceiling source: pci_dss:PCI.9.4.5
Rationale: PCI 9.4.5 annual media inventory is the binary cadence threshold.
Evidence
Required evidence: (1) TLS posture inventory per service with cipher suites; (2) certificate inventory + rotation evidence; (3) backup encryption-in-transit configuration (PR.DS-11); (4) physical media inventory with annual count (PCI 9.4.5); (5) media classification and protection evidence (PCI 9.2); (6) chain-of-custody for physical media; (7) incident data integrity / provenance records (PR.AN-07).
Ceiling source: nist_csf:PR.DS-02
Rationale: NIST CSF PR.DS-02 evidence combined with PCI 9.x media evidence is comprehensive.
Auditor test pattern
Step 1: Sample 3 services and verify TLS 1.2+ with strong ciphers (Qualys SSL Labs or equivalent). Step 2: Inspect certificate rotation evidence. Step 3: Verify backup encryption-in-transit configuration. Step 4: Inspect physical media inventory; verify annual count. Step 5: Inspect media classification + protection. Step 6: For sensitive media movement, verify chain-of-custody.
Common findings
Common 2024–26 findings: (1) TLS 1.0/1.1 still enabled on legacy services; (2) Weak cipher suites permitted; (3) Certificates auto-renewed but inventory absent; (4) Backup transit unencrypted to off-site location; (5) Physical media inventory not conducted annually; (6) Chain-of-custody absent for physical media movement.