PCI 30-seconds newsletter #9 – Defining the Scope of the PCI assessment

Blog Post created by dgodart on Jul 11, 2011


Entities subjected to the PCI program have the ultimate responsibility for defining the scope of the PCI assessment.  What does that mean?


According to the rules, the PCI scope must encompass all “system components” included in, or connected to, the Cardholder Data Environment (CDE).

What is the CDE?

The PCIco defines the CDE as the people, processes and system components that store, process or transmit cardholder data or sensitive authentication data.


Side note:

There is a simple way to understand the difference between cardholder data and the sensitive authentication data. The cardholder data is displayed on the front side of your credit card, such as the full PAN, cardholder name, and expiration date. The sensitive authentication data is generally printed on the back and is used to authenticate cardholders and/or authorize payment card transaction such as card validation codes and full magnetic-stripe data.

What is meant by system components?

By system components one must understand:

  • Network components such as firewalls, switches, routers, wireless access points, network appliances and other security appliances.
  • Servers such as Web, database,authentication, mail, proxy, time synchronization, domain name.
  • Applications, purchased and custom applications.


I would also add the component “people” into the business departments that deal with cardholder data, as well as any departments associated with the management, security, installation and maintenance of the above system components.

How do you determine the scope?

The scope of PCI compliance could be extremely difficult to determine. Probably the best way to handle this critical exercise is by adopting a top-down approach through two series of workshops. The aim of the first group is to capture the entire end-to-end business process; understand where cardholder data is used and for which purposes; as well as identifing third party relationships and dependencies. The second series is much more focused on technical aspects such as the identification of system components and technical procedures that support the business' processes.


The final exercise in scoping is to create the scope document, detailing what is in and what is out of the scope of PCI compliance, as well as the rationale behind these findings. This document should be regularly reviewed.


How do you reduce the scope?

The scope of a PCI assessment could reveal quite large for some organizations and therefore quite demanding interms of resources, time, finance as well as being an considerable source of stress. To minimize these considerations, the associated expenses and the risk of non-compliance, it’s of the utmost importance for entities subjected to PCI compliance to reduce the scope as much as possible. To do so one may consider the following areas:


1. Reducing the need for data storage                                               

Ask yourself the following question: Do we really need to keep cardholder data? Minimizing where card data is stored helps to reduce the scope.


2. Network segmentation

Network segmentation consisting in isolating the cardholder data environment from the rest of the organization's data is perhaps the best way to limit scope.

At a minimum, segregation should entail logical separation between networks via router and switch ACLs, as well as involving the separation provided by a stateful firewall. The optimal solution being the physical separation between networks.

Side notes:

  • PCI defers to the QSA (for organizations subjected to on-site audits) to render judgment about what is acceptable in terms of network segregation. Different PCI QSAs interpret this differently, adding to the challenge of PCI compliance.
  • For those not subjected to on-site audits, the acceptable level of segregation is left to their own judgment.


3. The use of third party solutions


In many cases entities are storing cardholder data unnecessary. The most common reasons cited for this are recurring billing and dealing with chargeback or disputes.


Outsourcing this data storage to PCI-compliant service providers that can securely manage your payment processing and securely store your records is definitely a way to reduce the scope of the assessment. There are a lot of third party solutions available that will store and perform the necessary financial operations - authorization, clearing and settlement - on your behalf.  Such solutions usually use tokenization to help you deal with recurring payment. Tokenization allowsyou to replace the PAN with a token in your database.


Dealing with chargeback and disputes (the return of funds to a consumer, forcibly initiated by the consumer's issuing bank) does not require the full PAN but generally only the last four digits.  So you could reduce the scope via that mechanism as well.


Side notes:

  1. Speak to your acquirer or processors to know what they would need from your organization to handle chargeback and disputes. 
  2. Keep in mind that outsourcing payment processing and data storage does not absolve an entity from the responsibility to process payments on behalf of the business in a PCI-compliant fashion. The merchant or business still owns and is responsible for meeting this requirement irrespective of whether or not these processes are outsourced.