Dec 07 2010
Scoping is one of the most subjective parts of doing a PCI assessment. What I consider to be a ‘connected system’ and what someone else considers to be the same can sometimes be substantially different. The PCI Council has done a decent job of defining systems that “store, process or transmit” credit card data. At least a good enough job that most QSA’s can agree in most instances what’s in scope and what’s not. Whether they’ve done a good enough job that people who aren’t up to their elbows in PCI on a daily basis can understand scoping is a different question all together.
Well, Jeff Lowder has a short article on this that may be helpful (or at least give you an idea what your QSA is thinking), “How to define ‘connected systems’ in the PCI Cardholder Data Environment“. One of the problems with scoping is that it’s changed gradually since the inception of PCI and rumor has it that there will be major changes from the Scoping Special Interest Group early next year. Jeff’s article is good in that he’s pointing out all of the connected systems you may have on your network which are currently being examined, but just for their supporting role. In other words, your QSA may be checking out your AV server to verify updates, but it’s unlikely that he’s checking it out to the same depth that he’s checking your SQL database. Which has a possibility to change with the updates to scoping guidance, requiring the level of scrutiny of both systems. Think of your credit card data as an infectious agent that draws any system it touches into scope of the assessment, and you won’t be too far off target.