PCI DSS 1.2.2: Identify and Approve All Network Services and Ports
Unauthorized services and ports create exploitable gaps in your payment card environment. PCI DSS 1.2.2 requires you to inventory every allowed service, protocol, and port with documented business justification. This control is the foundation of network segmentation and the first step toward eliminating unnecessary attack surfaces.
What this means
Your organization must maintain a comprehensive list of all approved network services, protocols, and ports active on systems in the cardholder data environment (CDE). Each entry must include a specific business reason for its presence. Services without documented need represent compliance gaps and security risks. This is an inventory and approval control—not a technical configuration control—that enables you to audit what's actually running.
How to comply
- 1.Conduct a network inventory across all CDE systems using port scanning and service detection tools to identify what's currently running
- 2.Document every active service, protocol, and port with its business purpose and owner assignment
- 3.Establish an approval workflow requiring business justification for each service before it can be added to the allowed list
- 4.Remove or disable any services that lack documented approval or business need
- 5.Review and update the approved services inventory at least annually or whenever network changes occur
- 6.Maintain audit logs showing who approved which services and when approvals were granted
Evidence auditors look for
- Spreadsheet or database listing all approved services, protocols, ports, and business justifications with approval signatures
- Network scanning reports showing current services compared against the approved list
- Service approval forms or change requests with documented business need before deployment
- Firewall rules and configurations reflecting only approved services and ports
- Annual review documentation with sign-offs confirming the approved services list remains accurate
- Removal records showing decommissioned services and their justification
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates service discovery across your CDE, compares running services against your approved list, and generates approval workflows with audit trails—eliminating manual scanning and reducing the time spent on 1.2.2 inventory updates from weeks to hours.
See how GRCWatch handles this control automatically
Start free trial