Determining which system components fall under PCI compliance can often be problematic for many companies. Here’s a brief overview of how to overcome this challenge, by my colleague Nima Dezhkam, principal consultant at Security Compass:
When it comes to PCI DSS (Payment Card Industry Data Security Standards) compliance assessments, scoping tends to become a major challenge. We normally break down the problem of scoping into two parts:
- What system components are in scope for PCI DSS
- Which PCI DSS requirements apply to the system components
One aspect of the scoping involves determining which system components are included or connected to the Cardholder Data Environment (CDE). CDE normally includes any network component, server, or application that transmits, stores, or processed cardholder data.
Another aspect the scoping focuses on which PCI DSS requirements apply to the system components identified in the CDE.
The following rule helps with identifying the scope:
PCI DSS applies wherever Account Data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as listed below:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data
- Full magnetic stripe data or equivalent on a chip
- CAV2 / CVC2 / CVV2 / CID
- PINs / PIN blocks
- Cardholder Data
It is important to note that the defining factor in applicability of PCI DSS requirements is the Primary Account Number (PAN), also commonly known as the Credit Card number. If PAN is stored, processed, or transmitted then all PCI DSS requirements apply.
On the other hand, if PAN is not stored, processed, or transmitted anywhere in the environment, then no PCI DSS requirements apply.
Moreover, if cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply only to PAN. These two requirements are around masking and hashing/encrypting PAN.
Finally, it is also important to note that as a general rule none of the Sensitive Authentication Data can be stored in the environment at any time.
Cross-posted from the Security Compass Labs blog.