PCI DSS 4.0 is here and requirement 12.5 is hitting like a truck. In 3.2.1, all scoping conversations were had between assessor and entity and scope was derived in a natural, assessor lead conversation. In the 4.0 moment, 12.5 states that entities are responsible for determining their scope and the assessor is responsible for validating that scope. PCI DSS is concerned with how you store, process, and transmit cardholder data (CHD). With that in mind, what have you done to identify the scope for your upcoming audit? Here are some simple steps to get you started looking at your infrastructure.
1. Cardholder Acceptance Vectors (Where you Take Payments) – Most organizations take payments through one of 3 main categories:
a. Payment Terminals, Pin Pads, or Kiosks
b. Websites or Mobile Apps
c. Phone-based Payments
Most payments will be made through one of these vectors. Knowing your organization and how you take money is key to understanding your acceptance vectors, which is the first step to understanding your scope for PCI. Time to have that talk with your accounting and finance person and make sure you don’t miss anything.
2. Networking - Once you have your CAV’s figured out, then you can begin to look at your network configuration. Every logical area you have a device or system taking payment card data is “in-scope.” So, unless your network has specific rules preventing movement from one area of your network to another, your network is “flat” and everything is “in-scope.” This doesn’t mean that you are not in compliance with PCI DSS, it just means that an assessor would have to look at everything on your network as if it all interacted with cardholder data.
a. Segmentation – Segmenting your network, preventing one network or virtual local area network etc. from talking to another, is a way to reduce the scope of your PCI DSS audit. By segmenting your traffic, you can eliminate whole departments, even entire locations, from being in-scope. Note that simply tagging VLANs is not a valid means of segmentation.
3. Security Impacting Systems – These are systems that might not be “in-scope” in that they don’t process, store, or transmit CHD, but they are critical in that they can affect it’s security. For example, antivirus management systems, configuration management systems, and change management systems are all examples of systems that affect the security of cardholder data. If one of these types of systems was compromised, an attacker would likely have a good foothold in gaining access to your CHD.
Now that you’ve got your main pillars in place to find out your scope, there are a couple parts of requirement 12.5 you should be aware of:
4. Keep an Inventory (12.5.1) – You will need to have an inventory of your in-scope systems and networks and you can accomplish this in many ways: excel, deployment management tools, network management tools, etc. Make sure that your inventory of systems is readily available for you when your assessment window comes around.
5. Check It Annually (12.5.2) – You will need to perform scoping of your network annually, which will need to be documented. Any data-flow diagrams, segmentation, third-party connections and more will be required during the audit.
