Should you scope your PCI assessment?
“Not only should you - it is your responsibility. The QSAs are not responsible for scoping your environment” explained Jeff.
More to the point, as Branden asks, “If you don’t scope, how do you know where non-PCI stops and PCI starts?”
The nuance, easy to overlook, is the distinction between scoping your environment and scoping (or de-scoping) for the assessment.
Jeff shared three basic steps to consider before engaging in the scoping process:
1. Understand what type of entity you are and the level. Are you a merchant or a service provider? Do you need to hire a QSA to perform the validation assessment?
2. Identify where cardholder data (CHD) is present in your environment (this is where visual diagrams of information transmitted, processed, and stored helps - and is required)
3. Once you understand how CHD flows through your network, you can determine if/how to isolate the CHD environment. This is what comes into play during the scoping.
As Joan explained in this article, it takes time and effort to segment your network(s) properly. In her experience, it’s entirely worth it. She adds, “I believe in, and vigorously maintain, a very high wall between production and corporate environments, and never the twain shall meet. This is critical in keeping our CHD safe. To keep something safe, you must know where it is, how much of it there is, who has access to it, and how it works.”
After answering these questions, consider your approach to scoping your environment.