What’s In Scope for PCI?

Posted: June 22, 2017

What’s In Scope for PCI?Common issues we see with scoping PCI assessments

As a QSA, I am commonly asked what is in scope for a PCI assessment. One would think this would be an easy question to answer. The obvious answer is that all systems that store, process or transmit cardholder data are in scope. The rest of the answer becomes more obscure and difficult for organizations to understand.

Scope is determined by the systems in place that must be reviewed for validation. Any system that can connect to a “in scope” system, is by default in scope for a PCI assessment. There are some caveats to this response, but that requires a lot more explanation.

Determining what’s in scope and what’s out of scope for PCI should be taken seriously. Watch the short video below addressing what’s in scope for PCI and some of the common in-scope systems we come across.

If you have any questions regarding PCI compliance or any other compliance or data security issues, please feel free to reach out to us at connect@compliancepoint.com.

Matt Crane

Author: Matt Crane

Matt Crane is a Security Consultant at CompliancePoint. Matt’s primary focus is on PCI-DSS compliance, NIST 800-53 assessment framework, NIST Cyber Security Framework, Minimum Acceptable Risks for State Exchange (MARS-E) auditing, and Physical Security. He is a Certified Information Systems Auditor (CISA), Qualified Security Assessor (QSA), Payment Card Industry Professional (PCIP), and Certified Federal IT Security Professional Auditor (FITSP-A). Matt also earned a B.B.A. in Information Security and Assurance from Kennesaw State University.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info