PCI Requirement 9.7.1 – Properly Maintain Inventory Logs of All Media

by Randy Bartels / January 31st, 2018

Importance of Inventory Logs

As a part of maintaining strict control over the storage and accessibility of media, PCI Requirement 9.7.1 states, “Properly maintain inventory logs of all media and conduct media inventories at least annually.” Inventory may seem like an overwhelming, massive task to complete every year, but it’s completely necessary. The PCI DSS explains, “If media is not inventoried, stolen or lost media may not be noticed for a long time or at all.”

The testing procedure for PCI Requirement 9.7.1 outlines that media inventory logs must be reviewed by an assessor to verify that inventory logs have been maintained and media inventories were performed at least annually. If the inventory logs indicate that media wasn’t where it was expected to be, an assessor will want to see what you did to account for that specific media.

As part of maintaining strict control over the access to the media that you might have off-site, we need to make sure that wherever that media is stored undergoes inventory at least annually. I know it’s a cumbersome chore to do, but it’s absolutely necessary that it be done. Not too long ago, there was a story that broke about a very large retail merchant whose tapes were sent to a third party in an unauthorized way. That company had to declare a breach, it affected their stock shares for a period of time, and they’ve since recovered. But as part of that, you need to understand where your media is at. In order to do that at least annually, you’re going to be performing an inventory of any media that’s stored off-site.

As part of the assessment, we’re going to be asking for an artifact, whether that be an email or handwritten note, that you have collected and retained that denotes that you’ve visited wherever your media is stored off-site and all of the media was there. If it wasn’t where it was expected to be, we want to see what you did to account for that media.