Hi all,
I was looking for any input as to what measures might be advised when a company moves physical locations. Falling in line with the physical security of cardholder data, etc., what, if any, steps might be taken to comply (i.e. removing all hard drives with sensitive data after powering the servers down and transporting them seperately, etc)? Is it necessary?
Has anyone had experience with this?

TIA

I'm not aware of any specific PCI requirements relating to the relocation of hardware as part of an office move, however section 9 contains various requirements relating to physical protection of media which would be applicable. The most relevant in the Security Audit Procedures is extracted below:

9.7.2 Verify that all media sent outside the facility is logged and authorized by management and sent via secured courier or other delivery mechanism that can be tracked.

The intent is clearly to ensure that the equipment (or other media) containing credit card data is not lost or tampered with during transit.

I don't believe it would be necessary to remove the disk drives, but use of a general removalist moving other office equipment would not be recommended. I would suggest that use of a secure courier would best meet the requirements of PCI. Alternatively, if internal staff are used for the relocation, equipment containing credit card data should be logged, signed for and escorted by the responsible officer from departure to arrival.

My views only, but I hope this helps.

The requirements state you need to protect cardholder data, but there are no specific guidelines about moving servers or datacenters. There is guidance in the requirements when they discuss keeping inventory of all backup tapes taken offsite. You should do the same with servers when in transit.

Basically there are no requirements other than to keep the data secure.