PCI Requirement 2.4 – Maintain an Inventory of In-Scope System Components

by Randy Bartels / June 30th, 2017

Maintaining an Inventory of Assets

We believe that if management is not aware of an asset, it’s probably not appropriately protected. Based on PCI Requirement 2.4, we think the PCI Security Standards Council and major card brands believe this as well. PCI Requirement 2.4 states, “Maintain an inventory of system components that are in scope for PCI DSS.” In order to comply with PCI Requirement 2.4, your organization must maintain a list of the assets in your environment.

When your organization begins to define the scope of your environment, you will need this current inventory of system components. It will make the scoping process smoother, plus, without this list, some of the assets you are trying to protect may be overlooked and inadvertently excluded from your configuration standards and left vulnerable. If you don’t know what or where your assets are, how can you protect them?

Any time that you add or remove an asset from your environment, your inventory list needs to be updated. PCI Requirement 2.4 is a continuous cycle. During the assessment process, your assessor will take this documented inventory and compare it to your network and data flow diagrams. Your Change Management Program should also be involved in the process of updating this list. PCI Requirement 2.4 ties into PCI Requirements 1.1.1, 1.1.2, and 1.1.3.

PCI DSS Requirement 2.4

I’ve been doing assessments and security for the greater part of my career, and one of the positions that has always become evident to me is that if management isn’t aware of an asset, it’s likely not to be protected. The PCI DSS and the card brands have taken notice of this. When we look at Requirement 2.4, it says that we have to maintain a list of the assets that we have in our environment; these are the physical assets. This is with the intent of: if you don’t know what you have, you typically cannot protect it.

From an assessment perspective, what we’re really looking for here is that you actually have a documented list of the assets. What we do is we take that list and compare that against your network diagram and we look for some correlations there. We also might ask you for a copy of an Nmap scan being run against your environment to compare the IP addresses to the asset list that we’re given. It’s required that you maintain this list. We recommend that you have some type of hook into your Change Management Program. Any time you make a change to your asset inventory, like adding a device to the list or removing a device from the list, we recommend you hang that change control open until such time that the asset inventory in your networking diagrams and your data flow diagrams have been updated to support that.