We're having trouble with PCI scope of compliance. There's some debate in our organization over whether the Qualified...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Security Assessor (QSA) needs to examine applications and network segments that we consider out-of-scope. Is it typical for the QSA to simply examine and validate our documentation, or is a thorough examination of out-of-scope assets common?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
When performing an independent assessment, a PCI DSS QSA must follow appropriate audit procedures to verify that an organization is PCI DSS-compliant. One of the first things this involves is determining the correct scope of a PCI DSS compliance program.
- Document all locations of cardholder data in the organization's environment and verify that no cardholder data is present outside of that environment.
- Review that documentation to confirm the scope of PCI DSS compliance. This is often in the form of a network/data flow diagram or a listing of all systems that store, process or transmit cardholder data.
- Include any cardholder data discovered outside the environment within scope unless the organization either deletes the data or moves it into the cardholder data environment.
- Ensure the organization retains documentation of how it confirmed the scope for review by assessors.
What does this mean to you? You should expect your QSA to review the decisions you've made about scoping your compliance effort. This may involve, at his or her discretion, an examination of systems outside of your PCI DSS environment to confirm that they are out-of-scope. They should not, however, perform additional security tests on systems that have been confirmed to be out-of-scope.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The PCI SSC extended the deadline for organizations to update TLS encryption standards before announcing PCI DSS 3.2. Expert Mike Chapple examines ...continue reading
Biometric security systems come with many advantages, but do they also come with many regulations? Expert Mike Chapple discusses biometric ...continue reading
A recent FTC lawsuit against Wyndham Hotels highlighted concerns for enterprises that have suffered a data breach. Expert Mike Chapple discusses the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.