Ctrl + K

9.4.5 Inventory logs of all electronic media with cardholder data are maintained.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Defined Approach Testing Procedures

9.4.5.a Examine documentation to verify that procedures are defined to maintain electronic media inventory logs.

9.4.5.b Examine electronic media inventory logs and interview responsible personnel to verify that logs are maintained.

Customized Approach Objective

Accurate inventories of stored electronic media are maintained.

Purpose

Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time.

Sub-requirements

9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.

purpose

Conduct periodic media inventories to verify accuracy.

compliance strategies

Scheduled audits
Reconciliation with inventory records

typical policies

Media Audit Procedures

common pitfalls

Missed audits
No reconciliation process

difficulty

Moderate

key risks

Undetected media loss

recommendations

Automate audit reminders

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.

Link copied to clipboard!

9.4.5 Inventory logs of all electronic media with cardholder data are maintained.

Defined Approach Requirements

Defined Approach Testing Procedures

Customized Approach Objective

Purpose

Sub-requirements

purpose

compliance strategies

typical policies

common pitfalls

type

difficulty

key risks

recommendations

Eligible SAQ