The word “scope” gets used a lot when you’re talking about PCI DSS. But it is also often misunderstood. This article provides some basic information about scope and how to start understanding what is in-scope for PCI DSS.
Who is Responsible for Scoping?
Both you and your QSA need to be able to understand the scope of your environment.
As a merchant or service provider, you are responsible for:
- Defining your scope
- Documenting your scope
- Reviewing your scope for accuracy
Your QSA is responsible for validating the scope that you have defined.
That makes it even more important to make sure that when we talk about scope, everyone has the same understanding.
In-Scope or Out-of-Scope?
One of the biggest mistakes the people make is considering that only those systems that store, process, or transmit cardholder data are the only things that is in-scope for PCI DSS. Collectively, this set of systems is referred to as the Cardholder Data Environment, or CDE. But there will always be other systems that come into scope for PCI DSS. We recommend reading the PCI SSC’s Guidance for Scoping and Segmentation, but we will summarise some of the key points here.
For a system to be in-scope for PCI DSS, it only needs to meet any one of the criteria in the bullet points below.
The CDE consists of any systems that:
- Store cardholder data
- Process cardholder data
- Transmit cardholder dat
- Is in the same VLAN as a system that stores, processes, or transmits cardholder data.
Other systems that are in-scope for PCI include:
- Systems that are directly connected to the CDE
- Systems that are indirectly connected to the CDE
- Systems that impact the configuration of systems in the CDE
- Systems that perform security services
- Systems that support PCI DSS requirements
- Systems that provide segmentation.
For a system to be out of scope, it needs to meet all of the criteria from the bullet points below.
- Not part of the CDE
- Not in the same network segment as the CDE
- Cannot connect directly to the CDE
- Cannot connect indirectly to the CDE
- Does not meet any of the CDE or in-scope criteria
Overall, for a system to be out of scope for PCI, it should not be able to connect in any way to the systems that are. It is possible to have shared security services. But you need to make sure that it does not grant any unintended indirect access to the CDE.
How Do You Scope?
We recommend that you start by asking yourself some key questions about your systems and data flows. To start, make sure you have all your key documents and people in a room. This means things like your network diagrams, cardholder data flow diagrams, and people who understand the networks, systems, and applications.
Then you can start asking questions to understand more of your scope, such as:
- Are all the payment channels included in the cardholder data flow diagrams? Do we have any other channels where we get cardholder data or export it?
- Where is credit card data stored, processed, or transmitted? If you don’t store, process, or directly transmit cardholder data, how do your customers transact and how do you protect the transaction process?
- Have you identified each system that performs a function as part of a PCI requirement?
- Are all of the systems you’ve identified so far on the network diagrams?
- Have you looked at the firewalls to identify any connections to the CDE?
- Have you looked at your system inventory to identify what else sits in your CDE?
Once you start answering these basic questions you get a better idea of what might be in-scope for PCI DSS and how you can remove things from scope. While this level of detail may seem like a lot of work, it will help you develop a clear picture of what your environment looks like and help ensure that you are applying the relevant PCI controls to avoid scope creep and surprises during your assessment.
If you need help with scoping, Confide can assist with scope reviews regardless of your size or transaction processes. Contact us to find out how we can help define, document, and in some cases reduce your scope.