PCI Requirement 12.3.7 – List of Company-Approved Products
Acceptable Products
Your usage policies, as stated in PCI Requirement 12.3.7, should include a list of company-approved products. This list will correlate with your acceptable uses of technology policy to create strong and secure usage policies. The PCI DSS explains that by defining company-approved products, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.
To test compliance with PCI Requirement 12.3.7, an assessor will need to examine your usage policies to ensure that they include a list of company-approved products, or they may interview your personnel to see if they know which types of products are approved.
You need to maintain a formal list of the technology that’s actually approved to be used in your environment. Your assessor is likely not only going to look to see what that policy is, but they’re then likely to ask you for that list of approved technologies that can be used within your environment.