What is the Scope of PCI DSS Assessment?

Determining the proper scope for PCI DSS assessment is crucial for effective compliance. Incorrect scoping can lead to insufficient controls or unnecessary compliance efforts.

Defining the Cardholder Data Environment

The scope of PCI DSS includes the Cardholder Data Environment (CDE), which encompasses all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, as well as systems connected to or that could impact the security of cardholder data.

For networks that are not segmented, the scope extends to the entire network, as all systems could potentially impact cardholder data security.

Network Segmentation and Scope Reduction

Network segmentation—isolating the cardholder data environment from the rest of the network—can effectively reduce PCI DSS scope. This can be achieved through:

1. Physical separation of networks
2. Logical separation using firewalls and access controls
3. Virtualization technologies with proper security controls

Proper segmentation must be validated during assessment to ensure it effectively isolates the cardholder data environment.

Global Operations and Multiple Locations

For organizations with international operations, all sites that store, process, or transmit cardholder data are in scope for PCI DSS assessment, regardless of geographic location. However:

1. Sites properly segmented from the cardholder data environment can be excluded
2. Specific sites can be excluded from the primary assessment, but this must be documented
3. Alternatively, one assessment can include all international locations

Disaster Recovery Sites

The inclusion of disaster recovery (DR) sites in PCI DSS scope depends on their configuration:

Organizations must ensure that any DR site that becomes active maintains PCI DSS requirements for the duration of its use.