If you start your next Report on Compliance or Self-Assessment without an accurate PCI scope, you’ll
- waste time
- go over budget
- end up with remediation work than you didn’t plan for
- and likely feel stressed to the max
At the beginning of any PCI assessment it’s critical that you start with scope.
Why?
An accurate scope makes for a smoother and easier Report on Compliance or Self-Assessment. Understanding and knowing your scope is vital to creating, building, and maintaining a continuous PCI DSS Compliance program.
If you don’t have a firm grasp on what’s in scope for assessment, being able to complete a self-assessment or, if you’re a level 1 merchant, a mandatory Report on Compliance is next to impossible.
In fact, if you’re not already managing your scope for PCI DSS v3.2.1, you’ll be in for a rude awakening with the requirements in PCI DSS v4.0 that need to be in place by March 31, 2024.
What are the new requirements that are both implicitly and explicitly tied to managing your PCI DSS Scope?
- 1.1.2
- 2.1.2
- 3.1.2
- 4.1.2
- 5.1.2
- 6.1.2
- 7.1.2
- 8.1.2
- 9.1.2
- 10.1.2
- 11.1.2
These PCI DSS requirements state the following:
"Roles and responsibilities for performing activities in [said requirement area] are documented, assigned, and understood."
These sub-requirements are implicit to an accurate PCI scope. Remember, PEOPLE are in scope for PCI DSS assessment and if you’re not tracking your people, how do you know who to interview? With whom do you escalate loggings issues?
PCI DSS v4.0 Requirement 12.5.2
Req 12.5.2: "PCI DSS scope is documented and confirmed at least once every 12 months."
This explicitly states that organizations must document and confirm their scope.
