The Payment Card Industry Data Security Standard (PCI DSS) requires that an inventory of system components (PCI Req. 2.4: Complete Inventory List) is maintained. This requirement was a requirement as of PCI DSS 3.0.
Good governance would suggest that maintaining these documents are part of the process of onboarding and offboarding applications, systems, etc. Maintaining a current up-to-date list of all components will ensure that any PCI review or engagement go much more smoothly.
Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization’s configuration standards.
This is especially important coming into a PCI Report on Compliance or Self-Assessment Questionnaire for the first time. There are three core components that should be requested at the beginning of any PCI on-site assessment:
- Data-Flow Diagrams
- Network Diagrams
- Complete Inventory List of In-Scope Devices
Armed with these artifacts, you can better assess the amount of work that an on-site assessment would bring.
But what are assessors looking for when they need a complete inventory list?
Every system that stores, processes, or transmits cardholder information is considered in-scope and should be in the inventory. This should be reflected within the data-flow diagrams and are the primary component that brings everything else into scope. This includes server infrastructure, data stores/databases, workstations, VoIP phone infrastructure (if communicated cardholder information), etc. A data-flow diagram should be maintained to show how cardholder data enters systems and travels from one system to another.
Maintaining accurate and up-to-date network diagrams is an important component. Identifying the networks that these systems and applications live on, and the observable borders are for the PCI security zone must show adequate network segmentation within the network. Anything that sits within the same network space absent of network segmentation controls is also pulled into the PCI scope as critical system components, as these devices are less restricted to devices with the cardholder data environment. All these devices need to be captured on the inventory list as well.
Do not forget about network services that the PCI environment may utilize, which support the security of the infrastructure as well. This could be critically reliant systems, like an AD Domain Controller, or minor systems like name-servers (DNS) or time services (NTP). Some of the items you need to capture are:
- Vulnerability Scanners / Management
- Centralized Logging Systems / Management
- Anti-Virus Management Console
- Patching Servers
- Wireless Management (If In Scope)
- Directory Authentication Servers (AD, Radius, LDAP, TACAS, 2FA)
- Supporting Network Infrastructure (Firewalls, Switches, Routers, VPN, NAC)
- Access Control / Video Monitoring Systems
Obviously, this is a generalized list and the details of whether certain systems are in-scope will largely depend on your environment and the way that you process cardholder information. If there are questions about specifics or this is the first time walking through a scoping exercise for PCI, definitely get in contact with a reputable QSA company to help you through this.