Generally speaking, scoping can be defined as the identification and tracking of people, processes, and technologies that directly interact with account data or could impact the security of account data in your cardholder data environment (CDE).
Key items to consider:
- Scoping exercises should be performed annually (at minimum)
- Should include validation of people, processes and technologies that handle account data
- Should include the identification of all current and new payment channels
- Include policies and standards that enforce PCI requirements for your organization
Systems are in-scope when:
- They store, process, or transmit account data
- They are on the same network segment (i.e., same subnet or VLAN) as systems that store, process or transmit account data
- They can impact the configurations or security of the CDE
Systems are out-of-scope when:
- They do not store, process, or transmit account data
- They are not on the same network segment (i.e., same subnet or VLAN) as systems that store, process or transmit account data
- They cannot connect to any system in the CDE and do not impact configurations or security of the CDE
In this project, we simulate an organization that is just starting their scoping journey with the goal of identifying and tracking both in-scope and out-of-scope systems.
Inception State: organization has no existing policies, standards or processes in place to identify their CDE.
Completion State: formal policies, standards and processes are created, stakeholders are bought-in to their annual scoping responsibilities, and a full cycle of scoping exercises are is successfully completed.
- PowerShell & BASH scripts (rule out storage of account data across the organization)
- Gather a full list of merchant IDs (MIDs)
- Creating data flow diagrams
- Creating network diagrams
- Identifying in-scope software
- Identifying in-scope hardware
- Identifying in-scope policies and standards