9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.
Defined Approach Requirements
9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.
Defined Approach Testing Procedures
9.4.5.1.a Examine documentation to verify that procedures are defined to conduct inventories of electronic media with cardholder data at least once every 12 months.
9.4.5.1.b Examine electronic media inventory logs and interview personnel to verify that electronic media inventories are performed at least once every 12 months.
Customized Approach Objective
Media inventories are verified periodically.
Purpose
Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time.
purpose
Maintain inventory of all media containing cardholder data.
compliance strategies
- Centralized inventory system
- Regular inventory audits
typical policies
- Media Inventory Policy
common pitfalls
- Outdated inventory
- Media not tracked
type
Documentation/Process Control
difficulty
Moderate
key risks
- Lost or unaccounted for media
recommendations
- Automated inventory management
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy