Skip to content

Open PCI Scoping Toolkit

By Gene Kim, Ruth Xovox, Philip Cox, Dorian J. Cougias

A Structured Method for Determining Which System Components in an Organization’s Computing Environment Are Within the Scope of Assessment

The Toolkit consists of definitions, three scoping categories, a decision tree and illustrative scoping scenarios. The Toolkit helps organizations and assessors determine correct scope of assessment, provides a common framework to discuss risks to cardholder data and facilitates discussion of controls, and is intended to be consistent with the spirit and intent of the PCI DSS.

  • Definitions Provides definitions of terms used in this document and within the PCI DSS, and describes the expansion or clarification of those terms proposed by the Toolkit.
  • Categorization of System Components Defines the characteristics of system component categories defined by the Toolkit and lists the implications of each.
  • Scoping Decision Tree Diagrams each step in the decision process and lists the criteria for each decision.
  • Scoping Scenarios Provides illustrative examples of typical situations found in organizations’ environments and shows how each system component would be categorized using the scoping decision tree.

Features

  • Determination

    Aids in determination of which system components are in and out of the scope of assessment.

  • Common Language

    Facilitates communication between organizations and assessors by providing a common language to describe the computing environment and risks to cardholder data.

  • Framework

    Provides a framework to categorize and identify the different types of system components, each with a different risk profile associated with it.

  • Reduction of Scope

    Provides a thought process to reduce the scope of assessment, by isolating and controlling access to the CDE, re-architecting the control environment or by implementing further controls.

About the Resource

Successful PCI DSS compliance depends upon the correct identification of the scope of the assessment. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add unnecessary cost and effort to the PCI compliance program. Subjective interpretation of the PCI DSS guidance results in a wide variance in practice among both QSAs and Participating Organizations.

The Toolkit consists of definitions, three scoping categories, a decision tree and illustrative scoping scenarios. The Toolkit helps organizations and assessors determine correct scope of assessment, provides a common framework to discuss risks to cardholder data and facilitates discussion of controls, and is intended to be consistent with the spirit and intent of the PCI DSS.

This document includes the following sections:

Definitions – provides definitions of terms used in this document and within the PCI DSS, and describes the expansion or clarification of those terms proposed by the Toolkit.

Categorization of System Components – defines the characteristics of system component categories defined by the Toolkit and lists the implications of each.

Scoping Decision Tree – diagrams each step in the decision process and lists the criteria for each decision.

Scoping Scenarios – provides illustrative examples of typical situations found in organizations’ environments and shows how each system component would be categorized using the scoping decision tree.

Although addressing the people and processes around cardholder data is a necessary part of any PCI compliance program, the Toolkit focuses almost entirely on categorizing the system components that comprise an organization’s computing environment.

In addition, the Toolkit does not define what PCI DSS controls are required for each Toolkit category. Because every organization is different, it is up to each organization and its assessor to determine the nature, extent and effectiveness of each control to adequately mitigate the risks to cardholder data.

We want to acknowledge the hard work of the forty-seven other practitioners who have contributed to this work since March 2009. We eagerly look forward to the time when all of these individuals can be publicly recognized for their contribution to this work.

Gene Kim
Ruth Xovox
Philip Cox
Dorian J. Cougias
Gene Kim

Gene Kim

Gene Kim is a best-selling author whose books have sold over 1 million copies. He authored the widely acclaimed book "The Unicorn Project," which became a Wall Street Journal bestseller. Additionally, he co-authored several other influential works, including "The Phoenix Project," "The DevOps Handbook," and the award-winning "Accelerate," which received the prestigious Shingo Publication Award. His latest book, “Wiring the Winning Organization,” co-authored with Dr. Steven Spear, was released in November 2023.

To Author Archive
Ruth Xovox

Ruth Xovox

Strong leadership, excellent communication skills, attention to detail, and a thorough knowledge of current global security and privacy regulations.

To Author Archive
Philip Cox

Philip Cox

Information technology and security leader with extensive experience in all facets of information systems design, integration and security.

To Author Archive
Dorian J. Cougias

Dorian J. Cougias

Dorian J. Cougias is the Lead Analyst of the Unified Compliance Framework (UCF) and co-founder of Network Frontiers (dba Unified Compliance), a company focusing on the science of compliance, including harmonization methods, metrics, systems continuity, and governance.

To Author Archive

Similar Resources