The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as […]
Find Out How You Can Defend Your Organisation Against AI Driven Attacks
KnowBe4, the world renowned cybersecurity platform is hosting its annual CyberSecure Leeds event on Wednesday 24th September as part of the Leeds Digital Festival. This […]
Uncategorized
PCI Scoping
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 has established a formal requirement for a documented scoping exercise as outlined in PCI 12.5.2. This essential step, which must be completed prior to the Qualified Security Assessor (QSA) commencing their evaluation, ensures that the scope of the Cardholder Data Environment (CDE) is accurately defined and validated. This guide will detail the scoping process, providing practical steps and tips to facilitate compliance.
What is the PCI Scoping Exercise?
A PCI scoping exercise is designed to identify all systems, processes, and personnel that interact with or affect the security of cardholder data (CHD) or sensitive authentication data (SAD). The primary objective is to define the CDE, document systems that are “connected to” it, and verify the segmentation controls that help limit the scope of the PCI DSS assessment. This exercise is not a one-time event; service providers are required to review it every six months, while others should repeat it annually.
Key Components of the Scoping Exercise
1. Identifying Systems with Cardholder Data (CDE)
The CDE encompasses any system that stores, processes, or transmits CHD or SAD. Here’s how to approach each aspect:
- Storage: Identify static data in databases, log files, swap files, RAM, or cloud storage. Utilize automated data discovery tools to ensure no CHD is missed.
- Processing: This includes activities conducted by payment processors or card processors.
- Transmission: This covers data movement, such as viewing CHD on a monitor, entering card numbers, or transmitting data via VoIP.
2. Mapping “Connected to” Systems
These systems do not store, process, or transmit CHD but can access CDE systems or affect their security. Examples include:
- Systems on the same VLAN as CDE systems.
- Security tools like firewalls, SIEMs, IDS/IPS, or patch management systems.
- Authentication servers or network traffic filters.
Tip: Employ network mapping tools to identify connections and ensure there is no indirect access to the CDE.
3. Implementing Segmentation Controls
Segmentation helps reduce the PCI assessment scope by isolating the CDE from other systems. Effective segmentation prevents any communication between in-scope and out-of-scope systems. While segmentation is optional, some examples include:
- VLANs with strict filtering (note that VLANs alone are insufficient).
- Container isolation.
- Physical separation.
- Security groups.
For a system to be considered out-of-scope, it must meet all of the following criteria:
- Does not store, process, or transmit CHD/SAD.
- It is not on the same network segment as CDE systems.
- Cannot connect (directly or indirectly) to CDE systems.
- Does not impact CDE configurations or provide security/segmentation services.
- Does not fulfill any PCI DSS requirements.
Tip: Document segmentation controls with diagrams illustrating firewalls, VLANs, or security groups.
4. Mapping Payment Channels
Create data flow diagrams for every payment channel (in-person, telephone, mail, e-commerce). Each diagram should trace CHD from entry to exit, categorizing each step as:
- In-Scope: Systems handling CHD/SAD (e.g., POS terminals, e-commerce servers).
- Connected to/Security-Impacting: Systems supporting the CDE (e.g., firewalls, authentication servers).
Example: For an e-commerce payment, the flow might include a customer’s browser, a web server, a payment gateway, and a database. Even a CVV or expiration date alone is considered CHD.
Tip: Look for opportunities to eliminate full Primary Account Number (PAN) storage (e.g., process changes, tokenization, or outsourcing) to reduce scope.
5. Assessing Third-Party Service Providers
Include third parties with access to CHD/SAD or that can impact the security of the CDE in the scoping exercise. For each provider:
- Verify their PCI compliance status (e.g., Attestation of Compliance).
- If compliant, leverage their AOC to exclude requirements associated with their services from your assessment (this will require their responsibility matrix or statement).
- If non-compliant, include their services in your assessment scope.
Tip: Utilizing PCI-certified providers simplifies compliance, but is not mandatory.
6. Identifying In-Scope Personnel
Document personnel with access to CHD/SAD, including job titles (e.g., “POS Operators”) or named individuals. These individuals require specialized security awareness training to handle CHD/SAD securely.
Tips for a Successful Scoping Exercise
- Start Small: Focus on one Merchant ID (MID) and map its payment channels before expanding to others.
- Use Automation: Leverage tools for CHD/SAD discovery and network mapping.
- Verify Consistency: Ensure processes are uniform across all locations.
- Include All Payment Stages: Cover authorization, capture, settlement, chargebacks, and refunds.
- Create a Comprehensive Inventory: List all hardware, software, databases, applications, POS terminals, card readers, cloud assets, and PCI-certified solutions (e.g., P2PE devices).
This inventory will inform vulnerability assessments, Approved Scanning Vendor (ASV) scans, penetration tests, and web application scans, ensuring they are scoped correctly.
Why Scoping Matters
A well-executed scoping exercise minimizes the scope of the PCI DSS assessment, saving time and resources. It also ensures compliance by identifying all systems and personnel that interact with CHD/SAD. For complex environments, seeking professional assistance can streamline the process.
The post PCI Scoping appeared first on .
VoidProxy phishing-as-a-service operation steals Microsoft, Google login credentials
Identity and access management provider Okta has discovered what it says is a novel phishing-as-a-service (PhaaS) operation that, if victims fall for an infected email, […]
2025 CSO Hall of Fame: Laura Deaner on AI, quantum threats, and cyber leadership
Laura Deaner, recently appointed chief information security officer at the Depository Trust & Clearing Corporation (DTCC), has spent more than 25 years at the forefront […]
French Advisory Sheds Light on Apple Spyware Activity
CERT-FR’s advisory follows last month’s disclosure of a zero-day flaw Apple said was used in “sophisticated” attacks against targeted individuals. The original article found on […]
How Wesco cut through the noise and reimagined risk management
Wesco is best known as a leading supply chain partner that provides electrical and communication systems and safety equipment to utilities, manufacturers, hospitals, and construction […]
VMScape Spectre BTI attack breaks VM isolation on AMD and Intel CPUs
Researchers have demonstrated a Spectre-like CPU branch target injection attack that allows malicious virtual machine users to leak sensitive information from host hypervisors such as […]
_Borka_Kiss_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale)
Without Federal Help, Cyber Defense Is Up to the Rest of Us
Together, we can foster a culture of collaboration and vigilance, ensuring that we are not just waiting for a hero to save us, but actively […]
Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms
Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency […]