PCI Readiness Series: Scoping the Assessment
How to Scope a PCI Assessment
Knowing how to scope a PCI assessment is crucial to your organization’s compliance. Defining a correct scope is the first and most important step. Scoping is so vital that assessors should not even begin the assessment until they have fully determined the scope. So, how does your organization determine if an asset is in scope? Any people, process, or technology that stores, processes, or transmits cardholder data is considered to be within your cardholder data environment and in scope for your PCI assessment. If your people, processes, or technology has the ability to impact the security of account data and sensitive authentication data, then your organization needs to have the appropriate controls applied in the appropriate places.
This webinar will help you understand why something would be considered out of scope. For an asset to be considered out of scope, there must be absolutely no connectivity to the cardholder data environment; it must have no ability to impact the security of the data.
This webinar will also help you to understand topics such as:
- Defining the scope and the cardholder data environment
- Determining what is considered out of scope
- Identifying what documents an assessor will collect and review during a PCI assessment
- Discussion on how wireless networks affect scope
- Discussing on the impact of sampling
Whether it be ePHI, cardholder data, financial information, or any other type of data, you need to understand where your assets reside and what controls you have in place to protect them. If you don’t know where your assets are, how do you expect to them?