What PCI Requirements Apply to Us: Tacking a Common PCI DSS Compliance Challenge

Wednesday, August 21, 2013

Rohit Sethi


Determining which system components fall under PCI compliance can often be problematic for many companies. Here’s a brief overview of how to overcome this challenge, by my colleague Nima Dezhkam, principal consultant at Security Compass:

When it comes to PCI DSS (Payment Card Industry Data Security Standards) compliance assessments, scoping tends to become a major challenge. We normally break down the problem of scoping into two parts:

  1. What system components are in scope for PCI DSS
  2. Which PCI DSS requirements apply to the system components

One aspect of the scoping involves determining which system components are included or connected to the Cardholder Data Environment (CDE). CDE normally includes any network component, server, or application that transmits, stores, or processed cardholder data.

Another aspect the scoping focuses on which PCI DSS requirements apply to the system components identified in the CDE.

The following rule helps with identifying the scope:

PCI DSS applies wherever Account Data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as listed below:

  • Account Data
    • Cardholder Data
      • Primary Account Number (PAN)
      • Cardholder Name
      • Expiration Date
      • Service Code
    • Sensitive Authentication Data
      • Full magnetic stripe data or equivalent on a chip
      • CAV2 / CVC2 / CVV2 / CID
      • PINs / PIN blocks

It is important to note that the defining factor in applicability of PCI DSS requirements is the Primary Account Number (PAN), also commonly known as the Credit Card number. If PAN is stored, processed, or transmitted then all PCI DSS requirements apply.

On the other hand, if PAN is not stored, processed, or transmitted anywhere in the environment, then no PCI DSS requirements apply.

Moreover, if cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply only to PAN. These two requirements are around masking and hashing/encrypting PAN.

Finally, it is also important to note that as a general rule none of the Sensitive Authentication Data can be stored in the environment at any time.

Cross-posted from the Security Compass Labs blog.

Possibly Related Articles:
PCI DSS Compliance assessment
Post Rating I Like this!
Mic Micac I am writing a research paper and collecting information on this topic. Your post is one of the better that I have read. Thank you for putting this information into one location.
Mic Micac This was an excellent article. It has some valuable content on this topic. Thank you for compiling it into an easy to read and well written post.
Mic Micac This post has helped me for an article which I am writing. Thank you for giving me another point of view on this topic. Now I can easily complete my article. Cheers
sikawai duluan This is 7 olive oil for hair benefits : 1. Prevents Hair Loss 2. Get Rids of Dandruff and Head Lice 3.Improves Hair Strength Naturally 4. Makes Hair Shiny and Soft 5. Improves Blood Circulation in Scalp 6. Promotes Scalp Health 7. Tames Frizzy Hair Source: http://www.oliveoilforhairhq.com/
Leo nardz I have been seeking information on this topic for the past few hours and found your post to be well written and has solid information.
Leo nardz I am exploring this subject as part of a report I need to do on possible careers I might choose. Thank you for your post it has valuable information on this topic.
shahbaz ocpfsd1 Wonderful article,What Is Apple Pay? thanks for putting this together! This is obviously one great post. Thanks for the valuable information and insights you have so provided here.
Anushka Jain Corporations have got various sizes connected with trucks, canisters and car trailers to provide reliable and quick alternatives on very cost-effective charge http://www.expert5th.in/packers-and-movers-hyderabad/
Anushka Jain Packers Moving organizations organizations have their particular spacious and totally waterproof warehouses intended for providing top high quality hard drive alternatives. http://www.expert5th.in/packers-and-movers-mumbai/
Anushka Jain Packers and Movers in Chennai Charges or
Jason Croft Has solid information.. that's right. Security in such a branch is very changable thing for http://milfdating-site.com
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.