MegaplanIT

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Why Choose Us?

Our expert security consultants and QSAs are fully certified across multiple disciplines and have decades of experience helping businesses stay protected against an ever-evolving cyber threat landscape. We build long-term relationships with our clients and provide holistic service offering to meet all their security and compliance needs while outlining a path to continued improvements within their internal security program(s).

Why Choose Us?

Our expert security consultants and QSAs are fully certified across multiple disciplines and have decades of experience helping businesses stay protected against an ever-evolving cyber threat landscape. We build long-term relationships with our clients and provide holistic service offering to meet all their security and compliance needs while outlining a path to continued improvements within their internal security program(s).

Blog Articles

Understanding Scope for PCI-DSS

PCI-DSS Scope

Compliance Informational Blog

Understanding Scope for PCI-DSS: What you need to know

Understanding, documenting and maintaining the scope of PCI-DSS is the most important factor for building the foundation of a successful PCI-DSS program. Systems that store, process or transmit credit card data as well as security and access control systems that support the secure functionality of the cardholder data environment (CDE) must be documented in the scope. This includes keeping a list of all CDE supporting networks, applications and system devices.  Along with documenting the Hostnames, OS Versions, IP addresses, physical Locations and Asset owners. Additionally, security supporting services such as Log aggregation, File Integrity Monitoring, Vulnerability Scanning, IDS/IPS, Penetration Testing, Patch management, Anti-Virus, and Access Control must be documented.  Maintaining this information will help identify in-scope assets and the associated PCI-DSS controls with which they must comply.

“The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.”

It is commonly assumed that PCI-DSS scope includes only systems that directly transmit or store credit card data. This assumption is not correct. As stated above, any systems that are connected to or support the secure functionality of systems that store process or transmit credit card data are considered as “in-scope” for PCI and would need to follow the applicable PCI-DSS requirements.

Scoping Concepts

The following scoping concepts always apply

Systems located within the CDE

Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.

Connected to a system in the CDE

Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.

Flat Network

In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.”

To Summarize

The Advantages of Network segmentation

Network segmentation, although not required to be PCI compliant is recommended to reduce the scope of large interconnected enterprises.  Creating and maintaining an up-to-date list of the in-scope, out-of-scope and security supporting networks is critical to documenting the scope of the environment.  Segmentation is commonly done through the use of Firewall and Router ACL’s to ensure no route exists from the out-of-scope segments to the in-scope segments.

“The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE.”

As PCI-DSS states, “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.”

Companies have two primary concerns when it comes to PCI-DSS compliance:

1) How much time will it take to meet the compliance requirement?

2) How much of an investment will it take to maintain compliance over time? 

MegaplanIT’s PCI-DSS Plus program is an all-in-one solution for PCI compliance designed specifically to address these concerns. Our bundled compliance solution takes a streamlined approach both on and off-site to get clients ready for the assessment and to maintain compliance year-round. Our expert QSAs know how to effectively implement the required processes an organization to protect cardholder data and keep sensitive information secure. With multiple decades of experience, MegaplanIT’s proven track record of delighting clients and developing accurate PCI-DSS compliance reports that provide the best value in the industry. Contact us to find out how our PCI-DSS Plus Program can help your business save time and reduce costs.

Additional Resources

Informational Blog Articles

White paper

Get ready for pcs v4 with the latest Blog updates.

Get Prepared For PCI-DSS v4.0

This white paper will cover everything organizations need to know about PCI DSS v4.0, including what is likely to change, when it will come into effect, and…read more

View Resource >

Blog Article

Whitelisting penetration tests on your waf.

Whitelisting Penetration Testers on Your WAF

Penetration testing is a reality for any company that takes security seriously. Not only is it an important part of any cybersecurity program, it also… read more

View Resource >

White paper

The definitive guide to securing socaas.

The Definitive Guide To SOCaaS White Paper Download

This white paper will cover everything security leaders need to know about SOCaaS and help them determine whether it could be an appropriate solution for their… read more

View Resource >