Blog Articles

Understanding Scope for PCI-DSS


Compliance Informational Blog

Understanding Scope for PCI-DSS: What you need to know

Understanding, documenting and maintaining the scope of PCI-DSS is the most important factor for building the foundation of a successful PCI-DSS program. Systems that store, process or transmit credit card data as well as security and access control systems that support the secure functionality of the cardholder data environment (CDE) must be documented in the scope. This includes keeping a list of all CDE supporting networks, applications and system devices.  Along with documenting the Hostnames, OS Versions, IP addresses, physical Locations and Asset owners. Additionally, security supporting services such as Log aggregation, File Integrity Monitoring, Vulnerability Scanning, IDS/IPS, Penetration Testing, Patch management, Anti-Virus, and Access Control must be documented.  Maintaining this information will help identify in-scope assets and the associated PCI-DSS controls with which they must comply.

“The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.”

It is commonly assumed that PCI-DSS scope includes only systems that directly transmit or store credit card data. This assumption is not correct. As stated above, any systems that are connected to or support the secure functionality of systems that store process or transmit credit card data are considered as “in-scope” for PCI and would need to follow the applicable PCI-DSS requirements.

Scoping Concepts

The following scoping concepts always apply

Systems located within the CDE

Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.

Connected to a system in the CDE

Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.

Flat Network

In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.”

To Summarize

The Advantages of Network segmentation

Network segmentation, although not required to be PCI compliant is recommended to reduce the scope of large interconnected enterprises.  Creating and maintaining an up-to-date list of the in-scope, out-of-scope and security supporting networks is critical to documenting the scope of the environment.  Segmentation is commonly done through the use of Firewall and Router ACL’s to ensure no route exists from the out-of-scope segments to the in-scope segments.

“The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE.”

As PCI-DSS states, “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.”

Companies have two primary concerns when it comes to PCI-DSS compliance:

1) How much time will it take to meet the compliance requirement?

2) How much of an investment will it take to maintain compliance over time? 

MegaplanIT’s PCI-DSS Plus program is an all-in-one solution for PCI compliance designed specifically to address these concerns. Our bundled compliance solution takes a streamlined approach both on and off-site to get clients ready for the assessment and to maintain compliance year-round. Our expert QSAs know how to effectively implement the required processes an organization to protect cardholder data and keep sensitive information secure. With multiple decades of experience, MegaplanIT’s proven track record of delighting clients and developing accurate PCI-DSS compliance reports that provide the best value in the industry. Contact us to find out how our PCI-DSS Plus Program can help your business save time and reduce costs.

Additional Resources

Informational Blog Articles

White paper

Get Prepared For PCI-DSS v4.0

This white paper will cover everything organizations need to know about PCI DSS v4.0, including what is likely to change, when it will come into effect, and…read more

View Resource >

Blog Article

Whitelisting Penetration Testers on Your WAF

Penetration testing is a reality for any company that takes security seriously. Not only is it an important part of any cybersecurity program, it also… read more

View Resource >

White paper

The Definitive Guide To SOCaaS White Paper Download

This white paper will cover everything security leaders need to know about SOCaaS and help them determine whether it could be an appropriate solution for their… read more

View Resource >