Learn what scope categories your systems fall into. 

By: Michael Simpson
Principal Security Analyst
QSA, CISSP
When it comes to PCI DSS scope, many businesses can feel a little confused about what to consider in-scope in their environment.

The PCI SSC recently released a supplemental guide to PCI DSS scope, which provides further information on scoping, what’s considered to be in scope, and what businesses should secure.

Within this guidance, the different categories of scoping are defined and clarified. Here’s a look at each category.

SEE ALSO: PCI DSS Supplemental Guide to Scope: Understanding PCI DSS Scope and Segmentation

In-scope systems

PCI scopeThis category relates to all systems and networks that are directly involved in the card data environment (CDE). To be in this category, the system component stores, processes, or transmits cardholder data. Or the system is on the same network segment as systems that deal with cardholder data.

These types of systems are all part of the CDE, and need to follow all applicable PCI DSS requirements to properly protect cardholder data.

Sample systems considered in-scope:
  • POS devices
  • Servers containing card data
  • Networks that transmit card data
  • Firewalls providing segmentation of the cardholder data environment
SEE ALSO: Finding and Reducing PCI Scope: How to Make Compliance Easier

Connected-to-scope systems

This category refers to all systems that are connected to the CDE, either directly or indirectly. Due to this connectivity, these systems can affect the security of the cardholder environment, and all applicable PCI DSS controls must be implemented to reduce the risk of a security breach through one of these connected systems.

 This category applies to systems that:
  • impact the configuration of the CDE
  • provides security services to the CDE
  • have a communication path to the CDE
Since these systems did not store, process, or transmit cardholder data, many businesses felt they were out-of-scope and PCI DSS requirements did not apply.

In the latest supplemental guidance, The PCI Council has very clearly stated that these systems must be secured to the same standard as in-scope systems.

All applicable PCI DSS requirements must be in place for any system connected to the CDE.
All applicable PCI DSS requirements must be in place for any system connected to the CDE.

Sample Systems considered connected to the scope
  • Code deployment servers
  • Antivirus systems
  • Domain Controllers
  • Hypervisors that host CDE systems
  • DNS servers
  • Log servers
  • Update/patch management servers
  • Authentication servers

Out-of-scope systems

PCI scoping categoriesThis category includes systems that aren’t in the CDE, or aren’t connected to the CDE. To be in this category, here’s what qualifies the system:
  • The system component doesn’t handle card data,
  • It isn’t on the same network as those that handle card data
  • It isn’t connected to any system in the CDE
  • It doesn’t meet any criteria to be in the connected to category
Only if the system component meets all these requirements will it be considered out of scope. The problem many businesses have is determining whether something is out of scope.

When scoping an environment, you should begin by considering all systems as in-scope until you can verify that enough segmentation controls are in place to remove the system from scope.

Segmentation validation tests (PCI DSS Requirement 11.3.4) can help determine if a device or network segment can be considered out of scope. This test will determine if the device or network segment has any connectivity to the CDE.

You should also determine what connectivity the device has to any connected-to system and if the device could use a connected-to system to gain access to the CDE. If a system has no better attack vector to the CDE than a system on the public internet, it can safely be determined as out of scope.

Note: Out-of-scope systems could still pose a risk to the organization and possibly the CDE if they’re not secured. It’s recommended that security best practices be implemented for all out-of-scope systems/networks.

Sample systems considered out of scope.
  • The public Internet
  • Systems with no connectivity to the CDE or to connected-to systems
  • Systems that connect to systems in the connected-to category, but cannot gain access to the CDE using this connection.

Additional tips

Here are some additional ways to scope your business.
  • Make a card flow diagram: This helps you keep track off and identify where your card data flows in and out of your environment, and what systems are affected by the flow of data
  • Create and maintain policies: Have policies in place for handling card data, securely transmitting data, and keeping the CDE separate from the rest of your business. Defined policies and procedures will give employees direction on how to maintain a compliant environment throughout the year
  • Re-scope your environment annually: Perform and document a scoping exercise annually. Changes to the environment or the threat landscape during the year may affect the scope of the environment. This process should be conducted at least annually to ensure all systems that can affect the security of cardholder data are addressed appropriately
  • Remember the people: While this post focuses on what systems should be included in your PCI scope, remember that the CDE consists of systems, processes, and people. Determine who is involved in receiving and processing cardholder data, and who is involved in securing the technology in the CDE
The PCI Council’s release of the Information Supplement on scoping and network segmentation did not change existing PCI DSS requirements, but it has provided clarification on what systems these requirements must be applied to.

Determining what systems directly or indirectly affect the security of cardholder data in the environment will help you know where PCI DSS controls must be in place.

Most data compromises could have been avoided by applying basic security controls on appropriate systems. The security controls outlined in the PCI DSS can help reduce the risk of compromise only if they are applied to all systems that can affect the security of the data.

A proper scoping exercise is key to protecting your customer’s data.

Need help with PCI Compliance? Talk to us!

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.