If you start your next Report on Compliance or Self-Assessment without an accurate PCI scope, you’ll
- waste time
- go over budget
- end up with remediation work than you didn’t plan for
- and likely feel stressed to the max
At the beginning of any PCI assessment it’s critical that you start with scope.
An accurate scope makes for a smoother and easier Report on Compliance or Self-Assessment. Understanding and knowing your scope is vital to creating, building, and maintaining a continuous PCI DSS Compliance program.
If you don’t have a firm grasp on what’s in scope for assessment, being able to complete a self-assessment or, if you’re a level 1 merchant, a mandatory Report on Compliance is next to impossible.
In fact, if you’re not already managing your scope for PCI DSS v3.2.1, you’ll be in for a rude awakening with the requirements in PCI DSS v4.0 that need to be in place by March 31, 2024.
What are the new requirements that are both implicitly and explicitly tied to managing your PCI DSS Scope?
These PCI DSS requirements state the following:
These sub-requirements are implicit to an accurate PCI scope. Remember, PEOPLE are in scope for PCI DSS assessment and if you’re not tracking your people, how do you know who to interview? With whom do you escalate loggings issues?
PCI DSS v4.0 Requirement 12.5.2
This explicitly states that organizations must document and confirm their scope.