If you ask 100 people, “what’s in scope for PCI DSS?”
You’ll get 100 different answers.
The best answer is from the authoritative source:
PER PCI DSS v4.0.1 – Definition of Scope:
PCI DSS requirements apply to:
- The cardholder data environment (CDE), which is comprised of:
- System components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data,
- System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
AND
- System components, people, and processes that could impact the security of cardholder data and/or sensitive authentication data.
PCI DSS Scope Assessments
As you may have heard, maintaining an accurate scope for PCI DSS Assessment is now required (see PCI DSS Requirements 12.5.1 and 12.5.2, requirements 1.2.3, 1.2.4, the requirements that require an inventory, and all the x.1.2 requirements for roles and responsibilities)
Your scope doesn’t have to be a nightmare.
We’ll help you get a grip on what’s in scope so you don’t lose your mind.
At Payment Card Assessments, we follow our easy six step process to identify and document your scope. Depending on the size and complexity of your cardholder data environment, our Scope Assessments take 4-6 weeks.
PCI DSS Gap Assessments
If you’re new to PCI DSS or about to become a Level 1 merchant, a gap assessment is critical to understanding where you are in your PCI Compliance Program and where you need to be.
We work closely with you to help you understand the PCI DSS Requirements, the evidence required to prove the requirements are in place, and we provide remediation recommendations based on industry best practices.
Gap Assessments vary depending upon your merchant level and the complexity of your cardholder data environment.
Our premium gap assessment is a Mock RoC (Report on Compliance) that will get you RoC ready before your QSA comes through the door.
Why Choose Us
We’re a small consulting firm and our only focus is PCI DSS Compliance. That’s it. That’s all we do.
Our CEO, Peggy Nolan, and CTO, Lisa Cressey, have a combined 25+ years of experience in PCI DSS Compliance.
Together, Peggy and Lisa ran the PCI Compliance Program at a Level 1 Merchant and Fortune 100 Company for a little over a decade.
Peggy is a former PCI-ISA (internal security assessor) and current CISA and PCI Professional. She has over 25 years as a senior IT/Cybersecurity project manager. Peggy also speaks on a regular basis at PCI Community Meetings and ISACA conferences.
Lisa is a former auditor, compliance program manager, IT/Cybersecurity professional, automation queen and CISM. (Ask us how we can help you automate your PCI Compliance Program. Trust us, it will save your sanity and your budget!)