A3.2.2 PCI DSS scope impact for all changes to systems or networks is determined, including additions of new systems and new network connections. Processes include:

Defined Approach Requirements

A3.2.2 PCI DSS scope impact for all changes to systems or networks is determined, including additions of new systems and new network connections. Processes include:

• Performing a formal PCI DSS impact assessment.
• Identifying applicable PCI DSS requirements to the system or network.
• Updating PCI DSS scope as appropriate.
• Documented sign-off of the results of the impact assessment by responsible personnel (as defined in A3.1.3).

PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.2 Examine change documentation and interview personnel to verify that for each change to systems or networks the PCI DSS scope impact is determined, and includes all elements specified in this requirement.

Purpose

Changes to systems or networks can have a significant impact on PCI DSS scope. For example, changes to network security control rulesets can bring whole network segments into scope, or new systems may be added to the CDE that have to be appropriately protected.

A formal impact assessment performed in advance of a change gives the entity assurance that the change will not adversely affect the security of the CDE.

Good Practice

Processes to determine the potential impact that changes to systems and networks may have on an entity's PCI DSS scope may be performed as part of a dedicated PCI DSS compliance program or may fall under an entity's overarching compliance and/or governance program.

Sub-Requirements

• A3.2.2.1 Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented