12.5.1 An inventory of system components that are in scope for PCI DSS

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.

Customized Approach Objective

All system components in scope for PCI DSS are identified and known.

Defined Approach Testing Procedures

12.5.1.a Examine the inventory to verify it includes all in-scope system components and a description of function/use for each.

12.5.1.b Interview personnel to verify the inventory is kept current.

Purpose

Maintaining a current list of all system components will enable an organization to define the scope of its environment and implement PCI DSS requirements accurately and efficiently. Without an inventory, some system components could be overlooked and be inadvertently excluded from the organization's configuration standards.

Good Practice

If an entity keeps an inventory of all assets, those system components in scope for PCI DSS should be clearly identifiable among the other assets.

Inventories should include containers or images that may be instantiated.

Assigning an owner to the inventory helps to ensure the inventory stays current.

Examples

Methods to maintain an inventory include as a database, as a series of files, or in an inventory-management tool.

Further Information

purpose

Maintain a list of all PCI DSS requirements and assign responsibility for each.

compliance strategies

Responsibility matrix
Regular review of assignments

typical policies

PCI DSS Responsibility Matrix

common pitfalls

Unassigned requirements
Outdated matrix

type

Governance

difficulty

Low

key risks

Unmanaged compliance areas

recommendations

Review matrix during annual assessments

Eligible SAQ

SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER