Posted: June 22, 2017
As a QSA, I am commonly asked what is in scope for a PCI assessment. One would think this would be an easy question to answer. The obvious answer is that all systems that store, process or transmit cardholder data are in scope. The rest of the answer becomes more obscure and difficult for organizations to understand.
Scope is determined by the systems in place that must be reviewed for validation. Any system that can connect to a “in scope” system, is by default in scope for a PCI assessment. There are some caveats to this response, but that requires a lot more explanation.
Determining what’s in scope and what’s out of scope for PCI should be taken seriously. Watch the short video below addressing what’s in scope for PCI and some of the common in-scope systems we come across.
Matt Crane is a Security Consultant at CompliancePoint. Matt’s primary focus is on PCI-DSS compliance, NIST 800-53 assessment framework, NIST Cyber Security Framework, Minimum Acceptable Risks for State Exchange (MARS-E) auditing, and Physical Security. He is a Certified Information Systems Auditor (CISA), Qualified Security Assessor (QSA), Payment Card Industry Professional (PCIP), and Certified Federal IT Security Professional Auditor (FITSP-A). Matt also earned a B.B.A. in Information Security and Assurance from Kennesaw State University.