What system is in scope for PCI DSS?

PCI DSS 3.2.1 PCI today 185 118 4

Background
share close

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data

At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of CHD.

Segmentation involves the implementation of additional controls to separate systems with different security needs.

For example, in order to reduce the number of systems in scope for PCI DSS, segmentation may be used to keep in-scope systems separated from out-of-scope systems.

The entity is responsible for ensuring that its scope is kept accurate on an ongoing basis.

At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.

An organization’s CDE is only the starting point to determine the overall PCI DSS scope.

Accurate PCI DSS scoping involves critically evaluating the CDE and CHD flows, as well as all connected-to and supporting system components, to determine the necessary coverage for PCI DSS requirements. Systems with connectivity or access to or from the CDE are considered “connected to” systems. These systems have a communication path to one or more system components in the CDE. Connectivity may occur over various technologies, including physical, wireless, and virtualized.

Physical connectivity may be via a traditional network (for example, Ethernet or power-line communication) or direct system-to-system connection (for example, USB, component, etc.).

Wireless connectivity uses different radio waves and frequencies as its transport mechanism (for example, wireless LANs, GPRS, Bluetooth, and cellular technologies). Wireless technologies are often connected to a physical network.


Virtualized connectivity includes use of virtual networks, virtual machines, virtual firewalls, virtual switches, etc. Virtual devices typically share common resources, such as an underlying host system and/or hypervisor, which could be used to connect one logical partition to another.


Implementation of these technologies can be very complex. It is therefore critical that someone who understands the technology in use evaluates the impact of these technologies on scope.


It is important to understand the risks and impacts if connected-to system components are excluded or overlooked from PCI DSS scope. Compromises of connected-to system components often lead to compromise of the CDE and theft of CHD.


The following scoping concepts always apply:

Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.

Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.

In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.


Note that public, untrusted networks (for example, the Internet) are not in scope for PCI DSS. However, PCI DSS requirements must be implemented to protect the entity’s in-scope systems and data from untrusted networks.

PCI DSS Scoping Categories

Written by: PCI

Tagged as: , , , , .

Rate it
Previous post
EN