Demystifying the PCI Scope of Assessment
Correctly defining the PCI Scope of Assessment is probably the most difficult and important part of any PCI compliance program. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and completely unnecessary cost and effort to PCI compliance programs.
Unfortunately, the PCI DSS guidance is prone to subjective interpretation, which has led to a high variance in practice among Qualified Security Assessors (QSAs) and Participating Organizations (e.g., merchants, cardholder data custodians, etc.).
The Open Scoping Framework Group is proud to announce the availability of the Open PCI Scoping Toolkit (“the Toolkit”). After nearly four years of hard work by over fifty of the best PCI practitioners in the industry, we are releasing the Toolkit under the Creative Commons license.
The Toolkit includes a set of principles, a structured thinking process and tools to generate defensible and consistent scoping conclusions, regardless of who is performing the PCI evaluation or assessment. In the absence of such a tool, or unambiguous guidance released by the PCI Security Standards Council, questionable scoping decisions will continue to be made.
In the future, we will be expand upon the Toolkit, and present its application to some of the toughest PCI scoping scenarios, along with our suggested scoping conclusions. These include hotel front desk networks that include POS systems and guest PCs, order entry systems running on thin clients in retail stores, virtualized servers processing cardholder data, and ActiveDirectory systems providing authentication to systems processing cardholder data.
We expect that practitioners will use the Toolkit to make scoping decisions, with a level of consistency and precision that has eluded the community to date. We believe the Toolkit to be consistent with the spirit and intent of the PCI DSS.