The Payment Card Industry Data Security Standard - commonly known as PCI DSS - is an important standard that serves to protect payment card information online. While no standard or framework is a silver bullet to preventing payment card information from being stolen, PCI DSS requirements establish important baselines for companies to follow.
Who Does PCI DSS Apply To?
The PCI DSS applies to any organization that stores, processes, or transmits cardholder data. So, PCI really applies to a large subset of organizations across retail, ecommerce, finance, point-of-sale manufacturers and more.
Companies that don't comply can face monthly fines, and depending on the amount of annual transactions a company processes, they are subjected to different levels of scrutiny. For example, companies that only process thousands of transactions per year may only have to self-assess, but companies that process millions of transactions may be subject to an independent audit.
The Importance of Asset Management in PCI DSS
Like many other frameworks, PCI DSS calls for an inventory of all assets. In fact, maintaining an asset inventory of all in-scope PCI assets is found in the second requirement (#2.4). According to this requirement, in-scope assets can include physical devices like servers and desktops, and also networks and wireless access points, software, user accounts and more.
PCI DSS also requires companies to maintain an up-to-date list of devices including make and model, location, serial number, or other method of unique identification (#9.9.1)
PCI Asset Inventory Challenges
One of organizations' most common challenges when dealing with asset management for PCI compliance is accurately tracking and accounting for all in-scope PCI assets in an environment. Today, many companies are maintaining asset inventories in spreadsheets or platforms that require manual work.
These manual processes just don't keep up with today's rapidly changing IT environment, and as a result, asset inventories of PCI assets may not be up-to-date, accurate and useful.
How Cybersecurity Asset Management Can Help With PCI DSS
Cybersecurity asset management platforms deliver a modern approach to asset management that starts with aggregating data to get comprehensive asset inventory, discovering which devices are unmanaged or misconfigured and understanding whether every asset adheres to or deviates from policies.
Axonius engaged Tevora, a security and risk management consulting firm, an accredited PCI Qualified Security Assessor (QSA) and HITRUST Assessor, to conduct an independent, in-depth evaluation of how cybersecurity asset management platforms help meet applicable PCI DSS Version 3.2.1 requirements.
Beyond continuously gathering an inventory of in-scope assets, cybersecurity asset management platforms can be used to help with many other PCI requirements.
PCI Requirement 8.1
PCI requirement 8.1 is to define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators. This includes assigning users a unique ID, controlling credentials and other identifiers and revoking access for terminated users.
User information can be gleaned from directory services, identity and access management solutions and more. Cybersecurity asset management platforms connect to those tools to correlate user data together. With all user data in one place, you can define queries to look up specific users by ID or search for specific conditions.
PCI Requirement 11.2
PCI requirement 11.2 is to run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
By connecting to vulnerability assessment solutions, cybersecurity asset management platforms make it easy to verify that assets are being assessed for vulnerabilities at the proper cadence. For example, you can find assets not assessed for vulnerabilities in the last quarter (90 days).
Looking for more examples of how Axonius can help evalue PCI compliance? Download the Axonius Cybersecurity Asset Management PCI DSS Compliance review here.