PCI Compliance: Scope

This is the second of a six-part blog series about PCI compliance.

Last week, we discussed terminology of PCI Compliance, what it is, and to whom it applies. Refer to part one for a glossary of PCI-related terms at any time during the series. This week, we'll discuss how to determine and minimize your scope of PCI compliance. 

What Is In Scope?

Before you know your scope of PCI Compliance, you should understand and define your Cardholder Data Environment, or CDE. Your CDE includes any component of your business that processes, stores, or transmits cardholder data; specifically, any system component that interacts with cardholder data. However, the scope of a PCI assessment also includes anything connected to those components. For example, your CDE might include an E-Commerce application that accepts credit cards and a point-of-sale terminal, but the scope of your PCI assessment might also include workstations used to access those components and wireless networks.

Other areas that need to be included in the scope of a PCI assessment include components that provide security services to components in the CDE, such as patch servers, anti-virus servers, intrusion-detection systems, authentication servers, and domain controllers. Components that provide or facilitate segmentation between your CDE and other out-of-scope networks are also in scope, such as firewalls and routers.

Keep in mind that your scope will also include personnel such as cashiers, sales clerks, key custodians, back-office clerks, IT support, human resources, physical security officers, finance personnel, management, supervisors, and others.

Diagram and Determine Your Scope

The best way to determine what's within your businesses's scope of PCI compliance is to develop an up-to-date network diagram. This diagram should identify "all connections between the CDE and other networks, including any wireless networks," according to the PCI DSS

Business owners and their network administrators should sit down together and get their network diagrams in sync. Key security points such as firewalls, servers, public networks and business partners should be noted in these diagrams.

Having a detailed network diagram aids in the PCI compliance assessment and fulfills the all-important PCI DSS Requirement 1.1.2. In short, think of your network in terms of layers and how they are logically and physically laid out. Then start to map them with as much detail as possible. Don't forget to include data flow information, the types of data traversing your network, and the protocols used. 

If this process seems daunting, there are tools out there to help. For example, the Open PCI DSS Scoping Toolkit, created by the Open Scoping Framework Group, outlines a methodology for determining which components are in the scope of a PCI assessment. Though the Toolkit is not officially endorsed by the PCI SSC, the authors believe it is “consistent with the spirit and intent of the PCI DSS,” and it is widely used within the industry. There are also open-source scanning tools available online that can help you determine your scope. However, these tools will not always be a perfect fit and must be adapted to your business to help you successfully determine your scope of PCI compliance.

3 Ways to Minimize Your Scope

Your scope could potentially become quite large once you determine all the included components. The less you include when you consider PCI compliance, the easier the implementation of controls and the quicker the PCI assessment. For this reason, you might want to consider taking some steps to minimize your scope.

  1. Segment your network. This is the most advanced and involved way to minimize your scope. With this approach, you might establish a second network that is solely for card processing, one that is completely separate and touches nothing else on the network (physical segmentation). You could also use logical segmentation via firewalls and routers, to limit connectivity between your CDE and the rest of your network. 
  2. Use P2PE. A simpler way to minimize your scope is to use a point-to-point encryption solution. A P2PE solution is a combination of secure devices, applications, and processes that encrypt data from the point of interaction (e.g., at the point of swipe) until the data reaches the solution provider’s secure decryption environment. With a P2PE solution, you don't have the means to decrypt the cardholder data at any time; therefore, your CDE is typically reduced to just the point of interaction devices.
  3. Outsource payment processing. The easiest and most basic way to minimize your scope. It's also highly recommended for businesses that don't have personnel trained in PCI compliance or secure data practices. When you outsource this part of your business, you ensue that your cardholder data is safely in the hands of experts in the field. Of course make sure that the third party is PCI compliant. 

What Carson Inc. Can Do For You

Putting together all the pieces of PCI compliance can be a complex and frustrating exercise, but Carson, Inc. is here to help you navigate it all. As an approved PCI QSA, Carson, Inc. is able to provide PCI assessments in accordance with PCI DSS. With this qualification, Carson, Inc. is poised to help your company manage data security risks, evaluate the security of your systems, and ensure total compliance.

Stay tuned to our blog to catch part three of this series, "PCI Compliance: How to Complete Reporting Requirements," with information on ROCs (Reports on Compliance) and SAQs (Self-Assessment Questionnaires).

You Might Also Be Interested In

PCI Compliance Series, Part 1: "What is PCI Compliance?"