Like many other standards, PCI DSS requires keeping an inventory of all assets. Maintaining an asset inventory of all covered PCI assets is mandatory for PCI DSS requirement 2.4. Per the PCI DSS 2.4 requirement, in-scope assets can include physical devices such as servers and desktops and networks and wireless access points, software, user accounts, and more.
Furthermore, PCI DSS standard 9.9.1 mandates that businesses keep an up-to-date list of devices, including make and model, location, serial number, and other unique identifiers.
When it comes to asset management for PCI compliance, one of the most prevalent issues for businesses is effectively tracking and recording all covered PCI assets in a given environment. Many companies today keep their asset inventories in spreadsheets or on platforms that require manual work.
These manual processes cannot keep up with today’s rapidly changing IT environment. As a result, PCI asset inventories may be out of date, inaccurate, and valuable.
In security, there are always multiple priorities; therefore, the secret is to assign and advance them all simultaneously, rather than choosing which comes first. There is so much interdependence in today’s IT infrastructures, and if you plan accordingly, you will avoid inevitable hurdles or analysis paralysis.
PCI DSS asset Management is a top priority and is at the center of everything else you do in developing, maintaining, and continuously improving your security program.
While keeping an inventory of your assets covered by PCI, it would be helpful to identify the following items:
- The value of each of your assets is directly related to the value of the data flowing through them.
- The value of your data is directly related to its importance to your business.
It doesn’t matter whether the value of your asset or data is financial or critical. The important thing is that all other security processes must directly reflect their relative importance to your organization.
It’s crucial to remember that your essential assets include not only your servers, network devices, and software but also your locations, vendors, business processes, and, most importantly, your staff. More importantly, the knowledge and skillsets of your employees are also necessary. It is the human factor that is often overlooked in most organizations.
None of the following business processes will be fully effective unless you include all of the above in your assets:
- Risk Assessment – If you don’t know what the risks are about, there is no point in examining your risks.
- Gaps Analysis and Security Control Acquisition – A logical consequence of risk assessment is the answer to the question, what are the gaps you need to fill?
- Change Control and Management – If you have no indication of regulatory compliance, maximum data classification, or business criticality, you will not be able to perform due diligence on change requests.
- Automatic / Continuous Compliance Verification – Unless you have a list of all services and ports running on your systems, you are unlikely to automate the detection of policy/compliance violations.
- Business Transformation – When you don’t know what you have and how it all fits together, your business will be more challenging in the face of competition.
Quite simply, PCI inventory and asset management are essential and very fundamental to security. It’s one of the simplest methods to concentrate the data required to support all of your security program’s other activities.
If you are not aware of an asset, you probably cannot protect it adequately. Based on PCI DSS Requirement 2.4, we can understand that the PCI Security Standards Council and major card brands also believe it. PCI DSS Requirement 2.4 requires you to maintain an inventory of system components covered by PCI DSS. To comply with PCI DSS Requirement 2.4, your organization must retain a list of assets in your environment.
As your organization begins to define the scope of your environment, you will need an existing inventory of system components. The PCI scoping process will be more seamless if you keep a list of system components.
Furthermore, some assets you’re seeking to protect that aren’t on the inventory list may be ignored and accidentally fall outside your configuration rules, exposing them to risk. You won’t protect your assets if you don’t know what they are or where they are.
Your inventory list should refresh whenever you add or remove an asset from your surroundings. Your auditor (PCI QSA) will take this documented inventory and compare it to your network and data flow charts during the assessment process.
This list should be updated with the help of your Change Management Program. PCI DSS Requirement 2.4 is linked to PCI Requirements 1.1.1, 1.1.2, and 1.1.3. PCI DSS Requirement 2.4 is a continuous loop.
Whenever you make any changes to your asset inventory, such as adding or removing a device from the list, you must update this change control, asset inventory, and data flow diagrams in your network diagrams.
What are the System Components That Should Be on the PCI Inventory List?
Maintaining an up-to-date list of all components covered by PCI will make any PCI review or engagement go much more smoothly.
Maintaining an up-to-date list of all system components will enable an organization to accurately and efficiently define the scope of their environment to enforce PCI DSS controls. Without an inventory, some system components may be forgotten and accidentally omitted from the organization’s configuration standards.
An inventory list is essential to enter a PCI Report on Compliance or Self-Assessment Questionnaire. Three key components will be required at the beginning of any PCI onsite assessment:
- Data Flow Charts
- Network Diagrams
- Complete Inventory List of In-Scope Devices
Any system that stores, processes, or transmits cardholder information is considered PCI scope and must be in inventory. This includes server infrastructure, databases, workstations, or VoIP telephony infrastructure. A data flow chart should be maintained to show how cardholder data enters and travels from one system to another. At the same time, the inventory list should be reflected in the data flow charts and is the primary component that covers everything else.
Maintaining accurate and up-to-date network diagrams is an essential component. Identifying the networks on which these systems and applications live and the observable boundaries for the PCI security zone should indicate adequate network segmentation within the network.
Anything without network segmentation controls within the same network area is covered by PCI as critical system components, as these devices are less restricted to devices with a cardholder data environment. All these devices must also be included in the inventory list.
Do not forget to add the network services that the PCI environment can use, which also support infrastructure security, to the inventory list. These can be critically dependent systems such as Active Directory Domain Controller or small systems such as DNS servers or time services (NTP). The following are some of the items you should include in your PCI inventory:
- DHCP Servers
- DNS Servers
- NTP Servers
- Vulnerability Scanners / Management Systems
- Central Registration Systems / Management Systems
- Anti-Virus Management Console
- Patch Servers
- Wireless Network Management Systems
- Directory Authentication Servers (AD, Radius, LDAP, TACAS, MFA)
- Supporting Network Infrastructure (Firewalls, Switches, Routers, VPN, NAC)
- Access Control / Video Surveillance Systems
The above is a generalized list, and the details of whether specific systems are covered will largely depend on your environment and how you process cardholder information.
If this is your first time doing a scoping exercise for PCI, definitely contact your QSA to assist you with this.
Are There Any Other Details That Should Be In The PCI Inventory?
To be PCI compliant, an authorized person must confirm that inventory is maintained, includes a function description, and that inventory is maintained. Although the fields required by PCI DSS Requirement 2.4 are just for function/purpose, it is helpful to add the following information to your inventory list:
- Application Name
- Is PCI Direct in scope?
- PCI Connected Component?
- PCI Out of scope system?
- A standalone system, Hypervisor, Virtual instance
- Cloud system?
- PAAS, SAAS, IAAS
- Function – High-level terms such as Server, Desktop, Mobile, Firewall, Router, Switch.
- Purpose – low-level term to describe what the system does
- POS controller, Domain controller, A/V server, logging host, DLP server, Jump host, IDS/IPS
- Hardware Vendor
- Hardware Model
- Operating system with version and vendor
- Component Position
The list above is more spreadsheet-centric, but tools such as a configuration management database (CMDB) are also available for this type of monitoring. There are many advantages to acquiring tools, such as quickly finding software products or searching for end-of-life hardware when a vulnerability is flagged in the industry.
Ideally, associating inventory with a vulnerability scanner is an excellent way to start. It allows you to manage your vulnerabilities better and make your scan list dynamic to suit your current environment.
Configuration management tools can also keep systems within specified build parameters and notify you when a system leaves this configuration.
If you choose to keep your PCI inventory with spreadsheets, be sure to include their manual processes in your workflows to ensure that the inventory owner is aware of changes in the environment. For example, if you add a new device to your PCI scope, the inventory officer should know.
Likewise, if you disable a device, the inventory officer will also want to know about it. Also, moving systems in and out of scope significantly impacts inventory; updates should be mirrored.