Cardholder data flows everywhere. It goes through applications, systems, and network infrastructure devices. An inventory showing systems that store, process, or transmit cardholder data is a valuable tool when scoping an assessment.
- An inventory of all systems that store, process, and/or transmit cardholder data must be maintained
- The inventory may be in any usable format
- Suggestion: Information to be maintained in the inventory could include:
- System name
- Cardholder data stored (list fields)
- Reason for storage
- Retention period
- Protection mechanism
- Including methods for protecting stored PANs per PCI DSS 3.4 (e.g. hashing, encryption, truncation)