PCI Scope Categories: Keep Your Card Data Separate

Learn what PCI scope categories your systems fall into.

When it comes to PCI DSS scope, many businesses can feel a little confused about what to consider in-scope in their environment.

The PCI SSC recently released a supplemental guide to PCI DSS scope, which provides further information on scoping, what’s considered to be in scope, and what businesses should secure.

Within this guidance, the different categories of scoping are defined and clarified. Here’s a look at each category.

‍See also: PCI DSS Supplemental Guide to Scope: Understanding PCI DSS Scope and Segmentation

In-scope systems

This category relates to all systems and networks that are directly involved in the card data environment (CDE). To be in this category, the system component stores, processes, or transmits cardholder data. Or the system is on the same network segment as systems that deal with cardholder data.

These types of systems are all part of the CDE, and need to follow all applicable PCI DSS requirements to properly protect cardholder data.

Sample systems considered in-scope:

• Code deployment servers
• Antivirus systems
• Domain Controllers
• Hypervisors that host CDE systems
• DNS servers
• Log servers
• Update/patch management servers
• Authentication servers

Out-of-scope systems

This category includes systems that aren’t in the CDE, or aren’t connected to the CDE. To be in this category, here’s what qualifies the system:

• The system component doesn’t handle card data,
• It isn’t on the same network as those that handle card data
• It isn’t connected to any system in the CDE
• It doesn’t meet any criteria to be in the connected to category

Only if the system component meets all these requirements will it be considered out of scope. The problem many businesses have is determining whether something is out of scope.

When scoping an environment, you should begin by considering all systems as in-scope until you can verify that enough segmentation controls are in place to remove the system from scope.

‍Segmentation validation tests (PCI DSS Requirement 11.3.4) can help determine if a device or network segment can be considered out of scope. This test will determine if the device or network segment has any connectivity to the CDE.

You should also determine what connectivity the device has to any connected-to system and if the device could use a connected-to system to gain access to the CDE. If a system has no better attack vector to the CDE than a system on the public internet, it can safely be determined as out of scope.

Note: Out-of-scope systems could still pose a risk to the organization and possibly the CDE if they’re not secured. It’s recommended that security best practices be implemented for all out-of-scope systems/networks.

Sample systems considered out of scope.

• The public Internet
• Systems with no connectivity to the CDE or to connected-to systems
• Systems that connect to systems in the connected-to category, but cannot gain access to the CDE using this connection.

Additional tips for PCI DSS scoping

‍Here are some additional ways to scope your business.

• Make a card flow diagram: This helps you keep track off and identify where your card data flows in and out of your environment, and what systems are affected by the flow of data
• Create and maintain policies: Have policies in place for handling card data, securely transmitting data, and keeping the CDE separate from the rest of your business. Defined policies and procedures will give employees direction on how to maintain a compliant environment throughout the year
• Re-scope your environment annually: Perform and document a scoping exercise annually. Changes to the environment or the threat landscape during the year may affect the scope of the environment. This process should be conducted at least annually to ensure all systems that can affect the security of cardholder data are addressed appropriately
• Remember the people: While this post focuses on what systems should be included in your PCI scope, remember that the CDE consists of systems, processes, and people. Determine who is involved in receiving and processing cardholder data, and who is involved in securing the technology in the CDE

The PCI Council’s release of the Information Supplement on scoping and network segmentation did not change existing PCI DSS requirements, but it has provided clarification on what systems these requirements must be applied to.

Determining what systems directly or indirectly affect the security of cardholder data in the environment will help you know where PCI DSS controls must be in place.

Most data compromises could have been avoided by applying basic security controls on appropriate systems. The security controls outlined in the PCI DSS can help reduce the risk of compromise only if they are applied to all systems that can affect the security of the data.

A proper scoping exercise is key to protecting your customer’s data.