A structured method for determining which system components in an organization’s computing environment are within the scope of assessment.
Successful PCI DSS compliance depends upon the correct identification of the scope of the assessment. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add unnecessary cost and effort to the PCI compliance program. Subjective interpretation of the PCI DSS guidance results in a wide variance in practice among both QSAs and Participating Organizations.
The Toolkit consists of definitions, three scoping categories, a decision tree and illustrative scoping scenarios. The Toolkit helps organizations and assessors determine correct scope of assessment, provides a common framework to discuss risks to cardholder data and facilitates discussion of controls, and is intended to be consistent with the spirit and intent of the PCI DSS.
About this Document
This document includes the following sections:
- Definitions – provides definitions of terms used in this document and within the PCI DSS, and describes the expansion or clarification of those terms proposed by the Toolkit.
- Categorization of System Components – defines the characteristics of system component categories defined by the Toolkit and lists the implications of each.
- Scoping Decision Tree – diagrams each step in the decision process and lists the criteria for each decision.
- Scoping Scenarios – provides illustrative examples of typical situations found in organizations’ environments and shows how each system component would be categorized using the scoping decision tree.
Use of the Toolkit provides the following benefits:
- Aids in determination of which system components are in and out of the scope of assessment.
- Facilitates communication between organizations and assessors by providing a common language to describe the computing environment and risks to cardholder data.
- Provides a framework to categorize and identify the different types of system components, each with a different risk profile associated with it.
- Provides a thought process to reduce the scope of assessment, by isolating and controlling access to the CDE, re-architecting the control environment or by implementing further controls.
Although addressing the people and processes around cardholder data is a necessary part of any PCI compliance program, the Toolkit focuses almost entirely on categorizing the system components that comprise an organization’s computing environment.
In addition, the Toolkit does not define what PCI DSS controls are required for each Toolkit category. Because every organization is different, it is up to each organization and its assessor to determine the nature, extent and effectiveness of each control to adequately mitigate the risks to cardholder data.
- Dorian Cougias, Unified Compliance Framework
- Phil Cox, RightScale
- Gene Kim, IT Revolution Press
- Ruth Xovox, ExoIS
We want to acknowledge the hard work of the forty-seven other practitioners who have contributed to this work since March 2009. We eagerly look forward to the time when all of these individuals can be publicly recognized for their contribution to this work.
For more information, please email: