Skip to content

Open PCI Scoping Toolkit

By Gene Kim, Ruth Xovox, Philip Cox, Dorian J. Cougias

A Structured Method for Determining Which System Components in an Organization’s Computing Environment Are Within the Scope of Assessment

The Toolkit consists of definitions, three scoping categories, a decision tree and illustrative scoping scenarios. The Toolkit helps organizations and assessors determine correct scope of assessment, provides a common framework to discuss risks to cardholder data and facilitates discussion of controls, and is intended to be consistent with the spirit and intent of the PCI DSS.

  • Definitions Provides definitions of terms used in this document and within the PCI DSS, and describes the expansion or clarification of those terms proposed by the Toolkit.
  • Categorization of System Components Defines the characteristics of system component categories defined by the Toolkit and lists the implications of each.
  • Scoping Decision Tree Diagrams each step in the decision process and lists the criteria for each decision.
  • Scoping Scenarios Provides illustrative examples of typical situations found in organizations’ environments and shows how each system component would be categorized using the scoping decision tree.

Features

  • Determination

    Aids in determination of which system components are in and out of the scope of assessment.

  • Common Language

    Facilitates communication between organizations and assessors by providing a common language to describe the computing environment and risks to cardholder data.

  • Framework

    Provides a framework to categorize and identify the different types of system components, each with a different risk profile associated with it.

  • Reduction of Scope

    Provides a thought process to reduce the scope of assessment, by isolating and controlling access to the CDE, re-architecting the control environment or by implementing further controls.

About the Resource

Successful PCI DSS compliance depends upon the correct identification of the scope of the assessment. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add unnecessary cost and effort to the PCI compliance program. Subjective interpretation of the PCI DSS guidance results in a wide variance in practice among both QSAs and Participating Organizations.

The Toolkit consists of definitions, three scoping categories, a decision tree and illustrative scoping scenarios. The Toolkit helps organizations and assessors determine correct scope of assessment, provides a common framework to discuss risks to cardholder data and facilitates discussion of controls, and is intended to be consistent with the spirit and intent of the PCI DSS.

This document includes the following sections:

Definitions – provides definitions of terms used in this document and within the PCI DSS, and describes the expansion or clarification of those terms proposed by the Toolkit.

Categorization of System Components – defines the characteristics of system component categories defined by the Toolkit and lists the implications of each.

Scoping Decision Tree – diagrams each step in the decision process and lists the criteria for each decision.

Scoping Scenarios – provides illustrative examples of typical situations found in organizations’ environments and shows how each system component would be categorized using the scoping decision tree.

Although addressing the people and processes around cardholder data is a necessary part of any PCI compliance program, the Toolkit focuses almost entirely on categorizing the system components that comprise an organization’s computing environment.

In addition, the Toolkit does not define what PCI DSS controls are required for each Toolkit category. Because every organization is different, it is up to each organization and its assessor to determine the nature, extent and effectiveness of each control to adequately mitigate the risks to cardholder data.

We want to acknowledge the hard work of the forty-seven other practitioners who have contributed to this work since March 2009. We eagerly look forward to the time when all of these individuals can be publicly recognized for their contribution to this work.

Gene Kim
Ruth Xovox
Philip Cox
Dorian J. Cougias
Gene Kim

Gene Kim

Gene Kim has been studying high-performing technology organizations since 1999. He was the founder and CTO of Tripwire, Inc., an enterprise security software company, where he served for 13 years. His books have sold over 1 million copies—he is the WSJ bestselling author of Wiring the Winning Organization, The Unicorn Project, and co-author of The Phoenix Project, The DevOps Handbook, and the Shingo Publication Award-winning Accelerate. Since 2014, he has been the organizer of DevOps Enterprise Summit (now Enterprise Technology Leadership Summit), studying the technology transformations of large, complex organizations.

To Author Archive
Ruth Xovox

Ruth Xovox

Strong leadership, excellent communication skills, attention to detail, and a thorough knowledge of current global security and privacy regulations.

To Author Archive
Philip Cox

Philip Cox

Information technology and security leader with extensive experience in all facets of information systems design, integration and security.

To Author Archive
Dorian J. Cougias

Dorian J. Cougias

Dorian J. Cougias is the Lead Analyst of the Unified Compliance Framework (UCF) and co-founder of Network Frontiers (dba Unified Compliance), a company focusing on the science of compliance, including harmonization methods, metrics, systems continuity, and governance.

To Author Archive

Similar Resources