PCI Requirement 12.3.3 – A List of All Devices and Personnel with Access

by Randy Bartels / July 3rd, 2018

Approved Devices and Personnel with Access

To create compliant usage policies, your organization must meet PCI Requirement 12.3.3, which requires you to keep a list of all devices and personnel with access. Lists of approved devices and personnel come up often in the PCI DSS and PCI Requirement 12.3.3. Without this list of all devices and personnel with access, an attack could place their own devices on your network, but no one would be able to quickly distinguish if it was approved or not. Your personnel could also completely disregard or bypass physical security procedures and install unapproved devices. Compliance with PCI Requirement 12.3.3 means being able to quickly identify non-approved versus approved devices and personnel.

To test compliance with PCI Requirement 12.3.3, an assessor will need to examine your usage policies to ensure that there is a list of all devices and personnel with access.

You need to maintain a list of all the assets that you have in your environment and the individuals that are authorized to use them. This is not only a usage policy. From an assessment perspective, your assessor is likely to ask you for that list, making sure that you’re compliant with your own policies.