With the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 coming soon, organizations have been told to focus their efforts on verifying compliance with the current version of the DSS and confirming they have fully and accurately scoped their cardholder data environments (CDE).
When it comes to monitoring and maintaining your CDE, one of the most important factors is ensuring you have an up to date inventory of all assets. Why is this so critical? If you don’t know what systems could potentially be at risk, how will you implement controls to protect them from compromise. For example, if you fail to put an in-scope asset on the list, this system may now be ignored, it will not have adequate security controls implemented either manually or through standard configurations for identified PCI systems, and will be inadvertently exposed to risk.
Requirement 2.4 of the DSS states that organizations must maintain an inventory of system components that are in scope for PCI. In-scope assets include any systems that store, process, or transmit cardholder information and can include physical devices and hardware such as desktops, servers, networks, as well as software, wireless access points, etc. To be compliant, an organization must be able to present an assessor with proof that the inventory is maintained and includes a description of function/use. Requirement 9.9.1 of the DSS also mandates that merchants are keeping an up to date list of payment card devices, including the make and model, location, serial number, and other unique identifies. This device inventory is important to have as it will be used frequently as staff are performing the required device inspections for possible skimming devices, tampering, and/or substitution.
This requirement can be a challenge for many organizations, as it is one thing to produce the point in time inventory list during your annual assessment or Report on Compliance (ROC), but ensuring all merchants are keeping track of systems involved, replacement devices, new staff workstations, etc. throughout the year and accurately and completely accounting for equipment in use, can be difficult. In theory, the inventory list should be updated any time an asset is added to or decommissioned/removed from an environment.
Merchants should be maintaining a cardholder data flow diagram that details how cardholder data enters their environment and how it moves from one system to another. Network diagrams should also identify all systems involved, what is connected within the network, and detail adequate network segmentation.
If anything changes that would result in a change on your network or data flow diagrams, it is important to verify the inventory is also updated. You should always be able to align your documented inventory list to the current diagrams. During a ROC, this is how the assigned Qualified Security Assessor (QSA) is typically auditing and confirming compliance.
So, what information should be kept within your PCI asset inventory? Although the PCI DSS isn’t highly specific outside of function/purpose, below is some information that can be helpful to document, as applicable to each system:
- Merchant Area/Department
- Responsible Person/System Owner
- Contact information
- Type of equipment (i.e. stand-alone device, mobile device, virtual terminal, workstation, software application, anti-virus server, logging server, etc.)
- System Name
- Function – high level term like desktop, server, payment terminal, etc.
- Purpose – describe what the system does
- Hardware Vendor
- Hardware Model Name/Number
- Serial Number
- Expiration Date (if PTS approved device)
- P2PE vendor
- P2PE solution
- P2PE reference number
- Location (campus, building, room number, etc.)
- IP address
- Jack number
- Scope – Directly in scope or connected to the CDE?
Having this information documented and easily accessible will allow the central PCI team to easily locate equipment if needed. For example, if you know a certain payment card device has expired and is no longer being supported, with an up to date inventory you can quickly identify the merchant locations using that device and provide recommendations for replacement devices. If a potential vulnerability is discovered on a particular system or device type, the team can also now take appropriate steps to deploy patches as needed.
Depending on the size and fluidity of your in-scope assets, some organizations will use an asset management system, while others may be able to track inventory manually through the use of spreadsheets. The central PCI team should own and monitor the overall inventory process, but it is important to engage merchants and make them accountable for tracking and updating their own inventory lists if/when changes to their environments are made. Verifying annually that each merchant has an up to date inventory as part of the annual Self-Assessment Questionnaire process is required, but the PCI team may also want to pick a sample of merchants monthly or quarterly to confirm current inventory lists are in place. As the team learns of new devices being implemented, or new vendors coming under contract, it is also important to remind merchants of the inventory requirement, so all new equipment is tracked and documented during deployment.
If you have questions regarding your current PCI asset inventory or would like to know more about the options the CampusGuard Central Portal offers for tracking device inventory at the individual merchant level, please reach out to us.
Additional guidance from the Security Advisor Team below:
[Gilmore]: Along with current inventory, it is good to make sure to keep a history of what has happened to equipment because of maintenance, outages, or upgrades. This kind of information is usually kept in a ticketing system as part of a change process. There have been a number of times while completing an audit that I have had to track what happened to a missing piece of equipment. Going back to a change ticket usually helps to be able to fill in the gaps in an inventory. Proper maintenance of all equipment will become more and more “business as usual” so long as effective training happens regularly and there is support from management to execute the procedures in place.
As mentioned before, it helps to spot check to make sure inventory is current. Procurement may inquire from time to time about a device that was purchased to make sure it is still in place. This could be for insurance purposes or other business processes. Surplus may provide some kind of destruction attestation to the managing department and to procurement. This documentation is helpful to show the device is permanently out of service and should be kept in inventory tracking.
Having several ways to check inventory is a great way for the process to self-heal and helps to keep the number of findings by the auditor as low as possible.