PCI Scoping: Start big to narrow the scope

The book pcds provides insights on Network Management and IT Support while offering IT Consulting solutions.

As the use of credit cards and online sales continues to grow, so too does the threat of cybercrime as hackers constantly poke and prod for security holes to syphon off consumer data.

It’s that growing threat that led credit card giants American Express, Discover Financial Services, JCB International, MasterCard and Visa to found the PCI ( Payment Card Industry) Security Standards Council a decade ago. It’s why the council established the PCI Data Security Standards (PCI DSS) to keep credit card data secure. And it’s why increasingly merchants are required to validate their PCI compliance.

What does all that mean? It means that some businesses must complete an annual security audit to prove their business, standards, procedures and systems are all following the prescribed security measures. But completing a PCI audit is tedious at best, and for those businesses doing it for the first time, it can feel as daunting as climbing Mount Everest when you’re standing at the mountain’s base.

The first step is determining which of a business’ systems are in scope for PCI compliance. The simple answer is PCI scope should include any systems that store, process or transmit card holder data or are “connected” to one of those systems – but the truth is it’s a little more complicated than that. First of all, it’s best if you carry the same standards across all your systems. If you’re a healthcare provider, you wouldn’t want your patients’ data to be any less secure. If you’re a publicly traded company, you wouldn’t want to put your investors’ data at risk. Life is easier if you have one set of security standards across your business.

Coming at it from that perspective, businesses should start with a wide lens before narrowing the scope. A check list to get started might include questions such as:

  • Where is my data?
  • How is my data controlled?
  • How is my data monitored?

Then comes the process of identifying the scope of the PCI audit to only those company systems that are in the card data environment (CDE). But to do that, a business must understand the scope of the cardholder environment, which includes the systems that store transmit, or process cardholder data as well as any connected systems. A good rule of thumb for connected systems is to consider if a certain system wasn’t there (such as servers that transfer files in and out of the CDE or servers that provide authentication) would the cardholder system function? If the answer is no, it’s a connected system. If it’s a connected system, it’s in scope. And system components evaluated in the audit would include network devices, servers, computing devices and applications.

ZZ Servers, a PCI Level 1 Service Provider provides custom engineered solutions for businesses that need to comply with PCI, providing the highest levels of security, stability and reliability. Whether you’re a PCI Level 1 business doing more than 6 million online transactions a year or a PCI Level 4 business with less than 20,000 online transactions a year, data security is still critical to your mission.

Knowing your PCI environment is critical to having a successful audit and maintaining compliance. And to do that, you’ve got to know what you’re working with.e …

What do you think?

Leave a Reply

Related articles

Contact us

Partner with Us for Comprehensive IT

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?

We Schedule a call at your convenience 


We do a discovery and consulting meting 


We prepare a proposal 

Schedule a Free Consultation