Understanding PCI DSS Scope: Definition and Guide

Most online transactions involve debit and credit cards, which are part of the Payment Card Industry (PCI). PCI refers to all organizations that process, store, and transmit cardholder information in order to facilitate transactions. Major companies in the industry, including Mastercard, Visa, American Express, Discover, and JCB International, formed the Payment Card Industry Security Standards Council to set standards for how this sensitive data is treated. Currently, there are nearly 800 participating organizations that help set the standards for PCI compliance.

The Payment Card Industry Data Security Standards (PCI-DSS for short) was created by the Security Standards Council. Compliance with these standards is an industry self-regulated process. And while it’s not a legal obligation, it’s particularly important for independent software vendors (ISVs) to adhere to these standards. PCI compliance is critical for many customers and end users and creating compliant software can increase sales and utility. Without proper compliance, products could be denied access to the gateways necessary to handle payments swiftly and easily.

One of the most important tools for ensuring a fully compliant process is PCI scoping. A business or organization's PCI scope includes all people, processes, and technologies that "touch," interact with, or affect the security of cardholder data.

With a proper understanding of PCI scope, you can ensure that your software products help you and your clients improve payment security.

What Is PCI DSS Scope?

Scoping is defined by the PCI Security Standards Council as a process identifying "all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review."

All systems that are in-scope—meaning that they interact with or affect cardholder data or systems containing it—must be assessed for their compliance with these security standards. By reviewing the way cardholder data flows through a specific organization, you can clearly identify the proper scope for protection.

The areas and systems where customers' data is stored are called a cardholder data environment (CDE). Any system that is part of your CDE must be compliant with the PCI DSS. There are over 300 requirements that are part of the PCI DSS, so understanding which systems and components are identified in a company's PCI scope is critical.

If the scope is insufficiently broad, some systems may leave cardholder data insufficiently secured, leading to a greater risk of a security breach and a serious data problem. On the other hand, if your scope is too broad, the excessive levels of security controls applied can lead to extra costs and user-unfriendly systems that limit a business's ability to manage its work on a regular basis.

Some key terms to keep in mind when scoping a business for PCI DSS compliance include:

  • In-scope: Systems directly connected to, impacting, or involved with cardholder data and its security
  • Out-of-scope: Systems with no access to the cardholder data environment
  • Connected-to: Systems connected to the CDE without being directly involved in processing a transaction and card details

What Is Segmentation?

The PCI Security Standards Council warns that companies should "start with the assumption that everything is in scope until verified otherwise." Segmentation is the process by which an organization, or a software vendor, can add additional controls to "wall off" systems that deal with cardholder data from those that do not. Segmentation is not a PCI-DSS requirement, but may reduce the scope and complexity of the PCI-DSS assessment. Ultimately, segmentation can help protect a company's business environment, reduce the need for intensive security controls, and keep end customers' data protected.

Physical and Logical Segmentation

Segmentation can be handled in two ways:

  • Physically, by directly preventing a networked connection between systems that are part of the cardholder data environment (CDE) and those that are not.
  • Logically, using firewalls and other technological security systems. Some segmentation processes can involve both aspects.

By keeping proper security guidelines in place and firewalling in-scope areas on a company's network, you can help prevent various types of attacks, including those that originate in less secure systems.

As a rule, if a system does not absolutely need to handle credit card or other customer data, it should not touch them. Users' computers on a network should be safely out-of-scope, protecting companies from extreme security procedures that can interfere with daily work and safeguarding customers' data against a devastating breach.

Shared networks allow computers and other devices to communicate with one another whether over Ethernet, Wi-Fi, Bluetooth, or direct connections like FTP or SSH. Of course, as a result, any networked business may find that all their devices are considered in-scope. While PCI standards explicitly disclaim the idea that public networks like the internet can be considered in-scope for any business, many of the most serious risks to cardholder data come from unauthorized access and attacks perpetrated from a public space.

Common methods of network segmentation that reduce the number of in-scope applications and network nodes include firewalls that limit connections to CDE systems and cut off links between out-of-scope and in-scope devices or complete separation of networks. When cardholder data is segmented through logical means alone, this is a less secure option than physical segmentation.

In-Scope System Components

To complete your PCI scoping exercise correctly, there are several steps involved in the process. These include the following:

1. Identifying where and how the organization takes in and uses cardholder data
2. Identifying and documenting where this account information is processed, transmitted, and stored
3. Locating all other processes, systems, people, and components in-scope for the customer data environment
4. Creating controls to reduce the scope to only those programs, people, and networks necessary to handle cardholder data
5. Putting in place all required safeguards for PCI DSS compliance
6. Regularly maintaining and verifying that the PCI DSS are complied with and information is secure

Those systems that are considered in-scope for PCI DSS controls include:

  • Systems that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD)
  • Systems that do not store, process or transmit CHD themselves but are on the same network as or otherwise "adjacent to" systems that do

Connected-to systems or components that affect the CDE or its security are considered in-scope. This category presents the largest single area where it is possible to reduce businesses' exposure to PCI DSS requirements and potential security breaches. These may do any of the following:

  • Connect or have access to the CDE directly or indirectly, such as through a jump server
  • Impact the security or configuration of the CDE, such as a name server providing DNS resolution for the CDE
  • Provide security services to the CDE, such as an authentication server like Active Directory
  • Support the requirements of the PCI DSS, like an audit log server
  • Provide the segmentation that separates the CDE from out-of-scope systems

When Are Systems Considered Out of Scope?

Out-of-scope systems are prevented from accessing cardholder data or affecting the security of those components or systems. In order to be considered out-of-scope, each component, software program, person, or network area must not process, store, or transmit cardholder data. It must be separated either physically or technologically from the parts of the network that do handle sensitive data, and this segregation must be complete and impenetrable.

Specifically, out-of-scope systems must meet all of the following guidelines:

  • Components must not store, process, or transmit CHD or SAD
  • They must not share a network segment, subnet, or VLAN with systems that store, process, or transmit CHD or SAD
  • Components must be unable to connect to or access any part of the CDE
  • They must be unable to gain access to the CDE or affect any security controls for the CDE through an in-scope system
  • They must not meet any criteria defined for connected-to, security-impacting, or in-scope systems or system components

By keeping your software products out-of-scope with careful design, strong segmentation, and integrated access to payment providers without access to CHD, you can help your clients improve their security while avoiding restrictive requirements. Proper PCI compliance that does not interfere with business activities is a gold standard for many small to medium-sized businesses.

This doesn't mean that out-of-scope software, components, or networks should be insecure or lax about the protective measures they provide. Instead, these can be crafted to provide the highest level of security without "touching" the vulnerable cardholder data that could expose any company to a network breach or serious liability.

Achieving Segmentation

There are many techniques that software vendors and organizations can use to achieve and protect compliant network segmentation. Physical controls can isolate CDE systems from the out-of-scope components and systems through installation on physically separate servers, firewalls, and devices. It’s impossible to breach physical segmentation this way because no logical or direct connection exists.

Logical controls can also be utilized for effective segmentation by using firewalls, routers with strong access control guidelines, and other methods to restrict access to a network segment. This type of segmentation must be regularly tested to ensure it remains intact.

In some cases, businesses may store cardholder data on their own servers. This keeps them in-scope for PCI DSS compliance. By opting for a form of cloud or hosted storage alongside high-level encryption and tokenization, servers and all of the software products that make transactions possible can be insulated from the need for in-scope treatment. The use of PCI-DSS validated service providers helps reduce the scope and complexity of the assessment.

Your clients may use several applications to directly take in cardholder data, including credit card terminals, POS systems, payment gateways, online payment systems, and customer management software that keeps payment data on file. Any application dealing with cardholder data must have a stringent security standard to protect customer data and send it back to a solution provider. Point-to-point encryption (P2PE) and tokenization can substantially reduce the PCI DSS compliance needs of a business. They can significantly reduce the size of the CDE or allow smaller businesses to meet their obligations more easily and affordably.

PCI DSS Scoping Considerations

There are some special considerations for ensuring that an organization's PCI scope is correctly understood. The PCI SSC clarified that using separate VLANs or network segments does not automatically reduce the scope. Instead, segmentation must be configured intentionally and effectively in a purpose-built manner to ensure the CDE is properly segregated.

Any company that takes payments should reassess its PCI scope on at least an annual basis. During this scoping review, all flows of cardholder data should again be identified along with all systems that connect to the CDE or could potentially lead to its compromise. The documentation used in the scoping process should be retained in order to show that it was complete and accurate during a PCI assessment or audit. Assessors that validate PCI DSS compliance are responsible to ensure that the PCI scope definition was properly applied and implemented for any software product or business.

As part of this process, network segmentation should be subjected to a penetration test on an annual basis. The standards necessary for sufficient network segmentation can change over time, so make sure that your software is ready to withstand ongoing checks.

A solid understanding of PCI scope can keep your clients protected and safe. Your software products can ease customers' minds when you have a PCI compliant system that keeps their servers out-of-scope.

The Global Payments Integrated Advantage

Global Payments Integrated offers payment solutions that provide integration with a massive global network, Global Payments, Inc., as well as ongoing support and access with a single API that helps ensure your software products support end users' PCI scope compliance.

Global Payments Integrated provides exceptional solutions that prevent your software from ever touching cardholder data. By using tokenization and point-to-point encryption, transactions are handled off-site. Our single API makes it easy to integrate Global Payments Integrated payment technology into your applications.

Contact us today for more information on our payment solutions and how we can make your software stronger, safer, and more secure.

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena