Learn how the PCI SSC's guidance helps define scope and segmentation.  

By: Jen Stone
Security Analyst
Check out a recording of our recent webinar to learn more about this supplement. 

In December, 2016, the PCI Security Standards Council (SSC) released a supplemental guide for scoping and network segmentation. Here are a few things you should know about it.

What is the supplement’s purpose?

The purpose of this guidance is to help organizations identify the systems that need to be considered in scope for PCI DSS, and understand how segmentation can reduce the number of those systems.

The guide also expands on specific elements related to PCI DSS scope, including terms like:
    PCI DSS scope
  • In-scope: systems directly involved with, connected to or impact the security of cardholder data
  • Connected-to: systems that connect to the cardholder data environment (CDE) or are indirectly involved in handling card data
  • Out-of-scope: systems that do not have access to the CDE
The PCI SSC also hopes this guidance can help organizations protect their data from indirect threats, such as pivot attacks, in which an attacker targets a system with fewer security controls in place and then uses that access to breach higher security systems.

SEE ALSO: Finding and Reducing PCI Scope: How to Make Compliance Easier

Why was the guide released now? 

Because determining PCI DSS scope can be confusing and time consuming, merchants and service providers requested more guidance on scoping from the PCI SSC.

Additionally, recent compromises arose from indirect connection issues, such as the pivot attack described above. These compromises are more likely when scope is not adequately defined, which led to the need for more clarification on how to accurately assess PCI DSS scope.

The guidance also includes how segmentation can be used to help reduce PCI scope and the number of systems and elements in a business environment that requires PCI DSS controls.

Who does this guide apply to? 

This guide is for organizations of any size that wish to understand and apply scoping and segmentation principles as defined by PCI DSS. The following groups will find this guide particularly useful:
  • Merchants
  • Acquirers
  • Issuers
  • Service Providers
  • Assessors (QSAs or ISAs)
  • PCI Forensic Investigators

What does the guide cover? 

Here are a few things the guide talks about.
    PCI Scope
  • Defining scope: The guide helps businesses figure out what is defined as in scope and out of scope in terms of which PCI DSS requirements apply to system components included in, connected to, or affecting the security of the CDE. 
  • Scoping basics: The supplement includes examples of things to consider when performing a scoping exercise, and tips to help you more easily scope your environment. 
  • Segmentation principles: The guide discusses how network segmentation can help separate in-scope systems from out-of-scope systems to help prevent pivot attacks.

The supplement stresses that organizations should understand their environment – what systems are included and how those systems interact with cardholder data. Businesses should also document their scope, including how scope was verified to be accurate.

Additional tips

Here are a few more things to consider when scoping your environment.
  • Validate your scope at least annually: Make sure any changes to your environment are reflected in your scope.
  • Limit shared services: The fewer people have access to your card data, the easier it will be to maintain security.
  • Be prepared for more in-depth examinations: Your QSA may have to examine additional systems than in previous audits.
The first step is to accurately scope your environment is to understand where card data comes into it, what happens to card data while it’s there, and where it is sent. You can’t protect your data if you don’t know where it is.

Need help with PCI compliance? Talk to us! 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.