On the first day in my new role as PCI Compliance Sustainability Program Manager, my boss told me that one of my responsibilities would be managing the PCI in-scope asset inventory.  I initially thought “this should be easy. We have an asset management system so I’ll just pull a report and see what I’m working with.”

To say I didn’t have a clue is an understatement. Not only were we not keeping track of what was and what was not a PCI In-scope asset in our asset management system, there was no way of tagging an asset as PCI in-scope even if I wanted to. The tool was not setup for such a thing.

Two weeks and dozens of emails later I was handed several Excel spreadsheets containing what was supposed to be an accounting of our PCI In-scope assets. What was I supposed to do with this information?

  • How would I maintain it?
  • How would I validate it?
  • How would I use it to ensure that the controls we had implemented were being used on every one of these assets?  

That was just the beginning of the headache. In the world of PCI the hardware and software aren’t the only assets considered in-scope. There are people and processes as well.

Did you know that one of the first steps you must take before you kick off a PCI Report on Compliance is to perform a scoping exercise?  When I initiated my first scoping assessment, I quickly discovered my company was overly cautious when they initially stood up PCI and brought more assets into scope than needed.  They also did not have processes in place to identify changes to our asset inventory in an environment that was constantly changing.

I had nearly a year’s worth of work in front of me that needed to be done in a month. I created a PCI inventory system that encompassed people, processes and systems that were legitimately in scope for PCI DSS assessment. Being able to monitor and manage your in scope assets is critical to the success of your PCI Report on Compliance.

At Payment Card Assessments, we can help you standup a Sustainability Program with processes and procedures that will help you sustain a PCI In-scope Asset Inventory you can have confidence in.

Request a call back today!


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

Build Clean Keep Clean: The Secret Sauce to Maintain Continuous PCI DSS Configuration Compliance

The founders of Payment Card Assessments know all to well what it’s like to receive a scan report with over 2,000 configuration failures, a standards team that didn’t communicate changes to the scanning team, and an implementation team that had no idea what they were supposed to do to an in-scope asset before it went into production. 

05 Mar 2022

Seven Reasons Why Merchants Need A PCI DSS Sustainability Program

Let’s be real for a second – the report on compliance is mandatory for all level 1 merchants and any merchant regardless of level that is required to provide a report on compliance by either their acquirer or card brand. Most level 1 merchants fall out of compliance shortly after the ink is dry on their most recent report. Why? Because they don’t have a sustainability program. The RoC is treated like a bad surprise every year and that creates wasted effort, lost money, and burned out staff.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading