GRCWatch
Sign inStart free trial

PCI DSS 9.5.1.1: Maintain an Up-to-Date POI Device Inventory

Point-of-interaction (POI) device management is critical to PCI DSS compliance. Control 9.5.1.1 requires you to maintain a comprehensive, current inventory of all POI devices with specific details that enable tracking and accountability. Without proper inventory controls, unauthorized or compromised devices can slip through your security perimeter.

What this means

This control mandates that your organization document and maintain a detailed inventory of every POI device (payment terminals, card readers, kiosks, ATMs) in your environment. Each device must be recorded with a clear description, its physical location, and a unique identifier that allows for positive identification and tracking. The inventory must be kept current and reflect the actual deployed state of devices across all locations. This foundational control enables you to detect unauthorized devices, identify compromised hardware, and maintain accountability for payment processing equipment.

How to comply

  1. 1.Conduct a physical audit of all POI devices across every location where payment cards are accepted or processed
  2. 2.Assign and document a unique identifier for each device (serial number, asset tag, or internal ID system)
  3. 3.Record the device description including manufacturer, model, and primary function
  4. 4.Document the precise physical location of each device (building, floor, department, room number)
  5. 5.Establish a centralized inventory database or tracking system accessible to relevant personnel
  6. 6.Implement a process to update the inventory within a defined timeframe (e.g., 30 days) when devices are added, removed, or relocated
  7. 7.Conduct quarterly reviews to verify inventory accuracy against actual deployed devices
  8. 8.Retain historical records of inventory changes for audit trail purposes

Evidence auditors look for

  • Spreadsheet or database containing POI device serial numbers, descriptions, and locations
  • Asset management system with POI device records and deployment history
  • Physical audit reports documenting device counts and location verification
  • Change logs showing additions, removals, and relocations of POI devices
  • Quarterly inventory reconciliation reports with discrepancy analysis
  • Photographs or physical location documentation matching to inventory records
  • Maintenance or support tickets correlating devices to locations and dates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates POI device inventory tracking with built-in asset management, automatic change detection, and quarterly reconciliation reporting—eliminating manual spreadsheets and ensuring 9.5.1.1 compliance stays current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.5.1 — Physical security of POI devicesPCI DSS 9.5.2 — POI device configuration standardsPCI DSS 9.1 — Access control and facility managementPCI DSS 2.1 — Inventory of network components and devices