On the first day in my new role as PCI Compliance Sustainability Program Manager, my boss told me that one of my responsibilities would be managing the PCI in-scope asset inventory. I initially thought “this should be easy. We have an asset management system so I’ll just pull a report and see what I’m working with.”
To say I didn’t have a clue is an understatement. Not only were we not keeping track of what was and what was not a PCI In-scope asset in our asset management system, there was no way of tagging an asset as PCI in-scope even if I wanted to. The tool was not setup for such a thing.
Two weeks and dozens of emails later I was handed several Excel spreadsheets containing what was supposed to be an accounting of our PCI In-scope assets. What was I supposed to do with this information?
- How would I maintain it?
- How would I validate it?
- How would I use it to ensure that the controls we had implemented were being used on every one of these assets?
That was just the beginning of the headache. In the world of PCI the hardware and software aren’t the only assets considered in-scope. There are people and processes as well.
Did you know that one of the first steps you must take before you kick off a PCI Report on Compliance is to perform a scoping exercise? When I initiated my first scoping assessment, I quickly discovered my company was overly cautious when they initially stood up PCI and brought more assets into scope than needed. They also did not have processes in place to identify changes to our asset inventory in an environment that was constantly changing.
I had nearly a year’s worth of work in front of me that needed to be done in a month. I created a PCI inventory system that encompassed people, processes and systems that were legitimately in scope for PCI DSS assessment. Being able to monitor and manage your in scope assets is critical to the success of your PCI Report on Compliance.
At Payment Card Assessments, we can help you standup a Sustainability Program with processes and procedures that will help you sustain a PCI In-scope Asset Inventory you can have confidence in.
Request a call back today!
