GRCWatch
Sign inStart free trial

PCI DSS 9.4.5.1: Conduct Media Inventories Annually

PCI DSS 9.4.5.1 requires organizations to inventory all electronic media containing cardholder data at least once every 12 months. This control prevents unauthorized access to sensitive payment card information by ensuring you know exactly where your data lives. Without documented media inventories, you cannot effectively manage or protect cardholder data assets.

What this means

This control mandates that your organization maintains a comprehensive inventory of all electronic media—including servers, workstations, laptops, USB drives, backup tapes, and cloud storage—that stores, processes, or transmits cardholder data. The inventory must be updated and reviewed at minimum annually to catch new systems, decommissioned hardware, or data migrations you may have missed.

How to comply

  1. 1.Document all electronic media systems and devices that contain, process, or transmit cardholder data across your organization
  2. 2.Assign ownership and location information for each media item in your inventory
  3. 3.Schedule and conduct a comprehensive media audit at least once every 12 months
  4. 4.Compare audit findings against your documented inventory to identify discrepancies or undocumented systems
  5. 5.Update your inventory records with any new media or removed systems discovered during the audit
  6. 6.Establish a process for adding newly deployed systems to the inventory within 30 days of deployment
  7. 7.Document the annual review date and personnel responsible for conducting the inventory

Evidence auditors look for

  • Dated media inventory spreadsheet or asset management database listing all systems containing cardholder data
  • Annual audit report with timestamps showing inventory verification was performed within the 12-month window
  • Change log documenting new systems added to inventory and decommissioned hardware removed
  • Sign-off documentation from management confirming inventory review and accuracy
  • Reconciliation report comparing current systems to documented inventory with explanations for any gaps
  • IT asset management system reports filtered for cardholder data systems with annual export timestamps

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates media inventory tracking and annual review scheduling, flagging new systems and comparing current assets against your documented inventory to eliminate manual audit gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.4.1 — Implement Media TrackingPCI DSS 9.4.2 — Restrict Media AccessPCI DSS 9.4.3 — Destroy Media SecurelyPCI DSS 12.1 — Security Policy