Twelve store locations. One PCI cycle. ~28% register gap, closed.
A national specialty retailer with several hundred US store locations ran SpacesIQ across twelve stores in a single rollout, ahead of its annual PCI 4.0 assessment. The platform produced a per-location inventory in the same evidence shape across all twelve stores, identified an average ~28% gap between asset register and wire, and closed the inventory-completeness finding (PCI Requirement 12.5.1) at the next assessment cycle. Engagement anonymized at the customer's request.
The setup
The customer is a publicly traded specialty retailer with several hundred US store locations and a federal-contracts arm (uniforms and supply for federal accounts) that pulls the company under NDAA Section 889 enforcement. Compliance: PCI DSS 4.0 across every POS-bearing location (annual assessment), state privacy laws (CCPA/CPRA, VCDPA), NDAA 889 for the federal-contracts arm, ISO 27001 for the corporate IT estate.
The recurring problem: PCI inventory-completeness was a finding at every annual assessment. The customer's PCI program leaned on store-level managers to maintain a per-store device list; the assessor's spot-check sampling consistently turned up devices on the wire that were not on the manager's list. Most were vendor-managed signage controllers, kiosks, and POS-accessory hardware (label printers, scanners) installed during quarterly visual-merchandising refreshes that did not flow through central IT change management.
The ask: produce a consistent per-store evidence shape that the QSA could take at face value, sample any store from, and verify rather than reconstruct.
Why CybrIQ
The retailer's CISO and PCI program lead chose CybrIQ specifically for its ability to produce identical evidence shape across many low-touch sites. The store-level network is intentionally simple: a single switch, a wireless AP, a POS controller, signage players. Agent-based tooling at hundreds of stores is operationally untenable; CybrIQ's passive Layer 1 read deploys without per-store IT involvement.
The decision criteria were narrow:
- Identical evidence shape across sites. The QSA had to be able to sample any of the 12 stores and see the same record format, dated and structured the same way.
- Zero per-store IT involvement. Stores do not have on-site IT staff; the deployment had to be remote-installable by mailing the appliance to each location.
- NDAA 889 enforcement on the same record. Signage and camera systems flagged for prohibited components without a separate scan.
- PCI scope clarity. The evidence had to make in-scope vs out-of-scope device classifications obvious for the assessor.
The engagement
The engagement scoped 12 stores in a single region: a mix of mall locations, freestanding stores, and one outlet center. Appliances shipped to each store; on-site staff plugged them into the network drop the deployment guide identified. Within 48 hours of each store's appliance going live, the per-store inventory landed in the central CybrIQ tenant. The PCI program lead and the retailer's QSA each joined a Day-7 review.
What the wire showed
- Average ~28% gap between asset register and wire across all 12 stores. Range was 18% to 41% depending on store age and refresh cadence; the worst gaps were at the locations with the most recent visual-merchandising refresh.
- 9 NDAA-prohibited components identified across the 12 stores. All were inside vendor-managed signage controllers labeled as a US-vendor brand. Auto-blocked at the wire on identification; the federal-contracts arm had been carrying 889 obligations the visual-merchandising team did not know about.
- 3 unmanaged switches in the back-of-store network closets. All three predated the current store managers; no one knew when they had been installed.
- 17 wireless devices on the corporate VLAN that should have been on the guest VLAN. Customer-facing kiosks misconfigured during installation; CybrIQ flagged them as PCI-scope expansion candidates on Day-2.
- 5 POS accessory devices (label printers, scanners) with firmware older than the platform's PCI 4.0 minimum. Easy fix once visible; impossible to find before deployment.
The outcome
The PCI 12.5.1 inventory-completeness finding closed at the next assessment cycle. The QSA took CybrIQ's per-store evidence as the underlying artifact and stopped requesting the manager-maintained device lists; sampling now happens against the platform export, not against in-store walkthroughs. The retailer expanded SpacesIQ to 80 additional stores over the following six months and is on a path to full-footprint coverage. ComplianceIQ wires the evidence into PCI and 889 reporting cycles.
The audit category that produced the most findings on every prior cycle, "asset inventory completeness," has not produced a finding since.
"The QSA used to spot-check our spreadsheet. Now they sample our CybrIQ export. The conversation moved from arguing about the inventory to discussing the controls."
PCI Program Lead, national specialty retailer. Quote anonymized at the customer's request.
Why this engagement is the reference
This engagement is the multi-site retail reference. The same per-store evidence shape across hundreds of stores is what makes PCI 4.0 audit-cycle math work; the 12-store rollout proved the deployment model before the customer expanded.
The ~28% register-gap and 9 NDAA-prohibited-components numbers are this engagement's. The pattern generalizes across multi-site retailers: store-level inventories drift faster than central IT can keep up with.
Reading list
- The asset register lies. Why the spreadsheet drifts from the wire on day one and never reconciles.
- "Looks good" is not Layer 1 evidence. What an environmental dashboard tells you, what it does not.
- Five reports, one truth. Mapping a single Layer 1 record to HIPAA, PCI, SOC 2, NIST CSF, and CMMC.
Bring one campus. Walk out with the inventory the next audit asks for.
The 30-minute working session. One environment. The deliverables stay with you whether you convert the engagement or not.