August 08, 2017
PCI Inventory List of Assets
Written by
TrustedSec
PCI Assessment
Program Assessment & Compliance
The Payment Card Industry Data Security Standard (PCI DSS) requires that an inventory of system components (PCI Req. 2.4: Complete Inventory List) is maintained. This requirement was a requirement as of PCI DSS 3.0.
Good governance would suggest that maintaining these documents are part of the process of onboarding and offboarding applications, systems, etc. Maintaining a current up-to-date list of all components will ensure that any PCI review or engagement go much more smoothly.
Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization’s configuration standards.
This is especially important coming into a PCI Report on Compliance or Self-Assessment Questionnaire for the first time. There are three core components that should be requested at the beginning of any PCI on-site assessment:
- Data-Flow Diagrams
- Network Diagrams
- Complete Inventory List of In-Scope Devices
- DHCP
- DNS
- NTP
- Vulnerability Scanners / Management
- Centralized Logging Systems / Management
- Anti-Virus Management Console
- Patching Servers
- Wireless Management (If In Scope)
- Directory Authentication Servers (AD, Radius, LDAP, TACAS, 2FA)
- Supporting Network Infrastructure (Firewalls, Switches, Routers, VPN, NAC)
- Access Control / Video Monitoring Systems