What must PCI DSS require regarding inventory of system components?

• A. Do not maintain any inventory.
• B. Maintain an inventory only for cardholder data environments.
• C. Maintain an inventory of assets that are not related to PCI.
• D. Maintain an inventory of all system components that are in scope for PCI DSS.

Answer: (D)

Having an up-to-date inventory of every system component that is in scope for PCI DSS is essential for securing the environment that processes, stores, or transmits cardholder data. Knowing every device, server, application, and network component that could affect card data lets you apply protections consistently, track changes, and verify that all in-scope elements are configured and monitored properly. The inventory should encompass all components within the Cardholder Data Environment and any systems connected to or supporting it, not just those that store or directly handle card data. This visibility supports key practices like patch management, access control, and change management, and it helps prevent gaps where an untracked device could bypass controls. Options that suggest skipping inventory, limiting it only to the cardholder data environment, or focusing on assets unrelated to PCI miss critical components that can influence security and compliance.