The Payment Card Industry Data Security Standard - commonly known as PCI DSS - is an important standard that serves to protect payment card information online. While no standard or framework is a silver bullet to preventing payment card information from being stolen, PCI DSS requirements establish important baselines for companies to follow.
Who Does PCI DSS Apply to?
The PCI DSS applies to any organization that stores, processes, or transmits cardholder data. So, PCI really applies to a large subset of organizations across retail, e-commerce, finance, point-of-sale manufacturers, and more.
Companies that don’t comply can face monthly fines - and depending on the amount of annual transactions a company processes, they are subjected to different levels of scrutiny. For example, companies that only process thousands of transactions per year may only have to self-assess, but companies that process millions of transactions may be subject to an independent audit.
The Importance of Asset Management in PCI DSS
Like many other frameworks, PCI DSS calls for an inventory of all assets. In fact, maintaining an asset inventory of all in-scope PCI assets is found in the second requirement (#2.4). According to this requirement, in-scope assets can include physical devices like servers and desktops, and also networks and wireless access points, software, user accounts, and more.
PCI DSS also requires companies to maintain an up-to-date list of devices including make and model, location, serial number, or other method of unique identification (#9.9.1).
PCI Asset Inventory Challenges
One of the most common challenges for organizations when dealing with asset management for PCI compliance is accurately tracking and accounting for all in-scope PCI assets in an environment. Today, many companies are maintaining asset inventories in spreadsheets or platforms that require manual work.
These manual processes just don't keep up with today’s rapidly changing IT environment, and as a result asset inventories of PCI assets may not be up-to-date, accurate, and useful.
How Axonius Can Help With PCI DSS
Axonius delivers a modern approach to asset management that starts with aggregating data to get comprehensive asset inventory, discovering which devices are unmanaged or misconfigured, and understanding whether every asset adheres to or deviates from policies.
Axonius engaged Tevora, a security and risk management consulting firm, an accredited PCI Qualified Security Assessor (QSA), and HITRUST Assessor, to conduct an independent, in-depth evaluation of Axonius against the applicable PCI DSS Version 3.2.1 requirements.
Beyond continuously gathering an inventory of in-scope assets, Axonius can be used to help with many other PCI requirements.
PCI requirement 8.1 is to define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators. This includes assigning users a unique ID, controlling credentials and other identifiers, and revoking access for terminated users.
The users page in Axonius displays IDs for unique users. User information can be gleaned from directory services, identity and access management solutions, and more. From the user page, you can define queries to look up specific users by ID or search for specific conditions. The video below shows how to find potential user accounts still active for inactive or terminated users.
PCI requirement 11.2 is to run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
By connecting to vulnerability assessment solutions, Axonius makes it easy to verify that assets are being assessed for vulnerabilities at the proper cadence. The video below shows how to find assets not assessed for vulnerabilities in the last quarter (90 days).