PCI Requirement 12.3.4 – A Method to Accurately and Readily Determine Owner, Contact Information, and Purpose

by Randy Bartels / July 3rd, 2018

Identification System

Your usage policies should have a method for identifying who an asset-owner is. PCI Requirement 12.3.4 specifically details, “A method to accurately and readily determine owner, contact information, and purpose.” This doesn’t mean you need a label on every device defining who the owner is, but you do need to have an identification system. This could be a serial number that traces back to the owner. Without a method to accurately and readily determine the owner and purpose of a device, an attack could place their own devices on your network, but no one would be able to quickly distinguish if it was approved or not.

Compliance with PCI Requirement 12.3.4 means being able to quickly identify non-approved versus approved devices, their owner, and purpose.

Think about this scenario: you walk into an environment such as your data center and all of the sudden, you see a server there that is smoking or you see a server there that shouldn’t be there. Do you have the means or methods within your organization to identify what the asset is and who owns it? PCI Requirement 12.3.4 establishes the need for being able to do that. We don’t necessarily require that you put a sticker on there with the name and the person. We find that a lot of organizations might have an asset list that’s traceable back to a serial number that they keep somewhere that defines what it is and who it’s for. Your assessor should not only be looking for the policy but looking to see that you’re actually carrying out this activity.