PCI Scoping Categories

Fri 21st Jul 2017
PCI Scoping Categories

In scope systems
This is in relation to all systems and networks that are directly connected to your card data environment. To be part of the (PCI strategy) category system, components will store, process and transmit cardholder data or the system is on the same network that deals with cardholder data. Some examples of these systems include POS devices, servers containing card data, networks transmitting data and firewalls segmenting the cardholder data environment.

Connected to scope environment
This relates to all systems that are either directly or indirectly connected to your card data environment, these systems can affect the security of your card data environment and controls must be put in place to reduce the risk of a security breach through any of these systems. Some systems include those that impact the configuration, provide security services and have a communication path to the CDE.

Out of scope systems
This includes systems that aren’t in or connected to the CDE, to be in this category the system component doesn’t handle data, isn’t on the same network as those that process data, isn’t connected to any system in the CDE. To be considered out of scope your systems will need to meet all the requirements above, you must consider every system in scope until you can ensure that segmentation controls are in place to separate it from the card data environment. You can use segmentation validation tests to help determine if a network or device segment can be out of scope in order to see if it connected to the CDE.