The objective of PCI DSS Requirement 9.6.1 “Classify media so the sensitivity of the data can be determined,” is to ensure that media is controlled and protected against inadvertent or unintentional exposure. There is no requirement to physically label media. Instead, companies must have processes to classify and identify all media containing cardholder data that is sensitive or confidential and ensure appropriate protection is applied to that media. Companies can then rely on their processes for classifying and protecting that media, in essence treating it as confidential without the specific requirement to provide a physical label.
(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)
Article Number 1129