How often must media inventories be performed?

Regularly maintaining an inventory of all media that can store cardholder data is essential. The requirement is that media inventories must be performed at least annually. This ensures you have an up-to-date, documented list of media—such as laptops, servers, USB drives, external drives, backup tapes, and even printed media—that could contain sensitive cardholder data. With this inventory, you can confirm media is managed properly, encrypted where needed, access is controlled, and disposal is secure when no longer required. Doing inventories only when a media item is disposed leaves gaps where untracked, potentially unsecured media still exists, increasing risk. The notion that inventories are optional is incorrect, and performing them quarterly exceeds the minimum requirement (though some organizations may choose to do so).