Home
/
/
Understanding Scope for PCI DSS

Understanding Scope for PCI DSS

  • February 4, 2025

Share

Understanding Scope for PCI-DSS: What you need to know

Understanding, documenting and maintaining the scope of PCI-DSS is the most important factor for building the foundation of a successful PCI-DSS program. Systems that store, process or transmit credit card data as well as security and access control systems that support the secure functionality of the cardholder data environment (CDE) must be documented in the scope. This includes keeping a list of all CDE supporting networks, applications and system devices. Along with documenting the Hostnames, OS Versions, IP addresses, physical Locations and Asset owners. Additionally, security supporting services such as Log aggregation, File Integrity Monitoring, Vulnerability Scanning, IDS/IPS, Penetration Testing, Patch management, Anti-Virus, and Access Control must be documented. Maintaining this information will help identify in-scope assets and the associated PCI-DSS controls with which they must comply.

“The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.”

It is commonly assumed that PCI-DSS scope includes only systems that directly transmit or store credit card data. This assumption is not correct. As stated above, any systems that are connected to or support the secure functionality of systems that store process or transmit credit card data are considered as “in-scope” for PCI and would need to follow the applicable PCI-DSS requirements.

The following scoping concepts always apply

Systems located within the CDE

Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.

Connected to a system in the CDE

Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.

Flat Network

In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.”

The Advantages of Network segmentation

Network segmentation, although not required to be PCI compliant is recommended to reduce the scope of large interconnected enterprises. Creating and maintaining an up-to-date list of the in-scope, out-of-scope and security supporting networks is critical to documenting the scope of the environment.  Segmentation is commonly done through the use of Firewall and Router ACL’s to ensure no route exists from the out-of-scope segments to the in-scope segments.

“The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE.”

As PCI-DSS states, “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.”

Companies have two primary concerns when it comes to PCI-DSS compliance:

1) How much time will it take to meet the compliance requirement?

2) How much of an investment will it take to maintain compliance over time?

MegaplanIT’s PCI-DSS Plus program is an all-in-one solution for PCI compliance designed specifically to address these concerns. Our bundled compliance solution takes a streamlined approach both on and off-site to get clients ready for the assessment and to maintain compliance year-round. Our expert QSAs know how to effectively implement the required processes an organization to protect cardholder data and keep sensitive information secure. With multiple decades of experience, MegaplanIT’s proven track record of delighting clients and developing accurate PCI-DSS compliance reports that provide the best value in the industry. Contact us to find out how our PCI-DSS Plus Program can help your business save time and reduce costs.

Subscribe to Our Newsletter

Related Topics

Assessor Spotlight

(2)

Cloud Security

(1)

Compliance and Regulations

(3)

Employee Spotlight

(1)

Managed Security

(1)

Network Security

(1)

PCI Compliance

(3)

Penetration Testing

(1)

Security & Compliance

(58)

Security Operations

(1)

ON WATCH, ALL THE TIME

Featured Articles

Compliance and Regulations

P2PE vs E2EE: Common Pitfalls and Deployments

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.
Learn More
Compliance and Regulations

2025 PCI Compliance Checklist

In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.
Learn More
Cloud Security

PCI Data Security Standard Myths

As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.
Learn More
Compliance and Regulations

Understanding Scope for PCI DSS

Learn More
Employee Spotlight

Get Prepared For PCI DSS v4.0

The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.
Learn More
Managed Security

How your Remote Workforce impacts PCI DSS Compliance

Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?
Learn More

MegaplanIT

Services

Resources

Contact

18700 N Hayden Rd #340, Scottsdale, AZ 85255

800-891-1634

[email protected]

Open 24/7/365 days

If you have a security or compliance emergency, contact us immediately.

MEGAPLANIT HOLDINGS, LLC. © 2025 | ALL RIGHTS RESERVED.

PRIVACY POLICY