Establishing the Scope of Your Cardholder Data Environment

by KirkpatrickPrice / April 18th, 2017

Properly scoping your environment is the most important initial step of becoming PCI compliant. The scope of the Cardholder Data Environment (CDE) determines the extent to which all PCI DSS controls must be in place. If an asset is in scope, all controls will apply. If an asset is not in scope, then there’s no concern to PCI. Errors in scoping can lead to serious consequences, so it’s important to define an accurate scope before beginning your PCI DSS audit. No matter what kind of data you’re protecting – ePHI, cardholder data, financial information – you need to understand where your assets reside and what controls are protecting them. If you don’t know where your data is, how do you plan to protect it?

So, how does your organization determine if an asset is in scope? Any people, process, or technology that stores, processes, or transmits cardholder data, is considered to be within your CDE and in scope for your PCI DSS audit. The rules defined by the PCI Security Standards Council also state that:

  • If your organization has any devices that provide security/authentication services, such as a firewall, router, or patching server, then those devices are considered in the CDE and part of your scope.
  • If your organization has an asset that has connectivity into the CDE, that asset is in scope.
  • If there are any routing rules that allow traffic into your CDE, that traffic brings those assets into scope.
  • If your organization has an asset that is deemed to have impact over the security of the CDE in any way, it’s also considered in scope.

There will be some gray areas and areas where your organization may struggle to determine whether a particular asset is in or outside of the scope of your PCI audit. But, there are typically 6 questions you can ask to determine whether something is in-scope. If the answer to any of these questions is yes, then that asset is in scope:

  • Does the asset store cardholder data?
  • Does the asset process cardholder data?
  • Does the asset transmit cardholder data?
  • Does the asset provide security services within the CDE?
  • Is the asset connected to the CDE?
  • Could the asset impact the security of the CDE?

Establishing Scope of Your Environment

One of the most important things your organization will do during your assessment process is to try to understand what’s in-scope. Whether it be HIPAA data, PCI data, any type of data, or financial information, you need to understand where your assets reside and what the controls are that you have in place to protect them.

As an assessor, part of the process is spending time with your organization and working with you to understand the scope of your environment. If your systems, your processes, or your people somehow have the ability to negatively impact the security aspect of this data we’re trying to protect, we look to make sure that you have appropriate controls in place. We try to, if you would, draw a circle around the assets that are in question and apply those controls to that. When we look at it from a security perspective, you must understand that if you don’t know where your data is at, how do you expect to protect it?

So, establishing the scope of your environment is one of going to be one of the most important things that you do in maintaining security. You need to ensure that you have the appropriate controls applied in the appropriate places.