Scoping for PCI DSS Compliance

The basic and the foremost activity is scoping for PCI DSS Compliance assessment. Scoping activity might look bit easy in general but it can be a real challenge for the assessor while performing it (which particular segment process, transmit or store the cardholder data, which does not).

How important is scoping for PCI DSS Compliance assessment, can be determined through Guidance for PCI DSS Scoping “The first step of a PCI DSS assessment is to accurately determine the scope of the review.” At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope.

It is a core responsibility of an assessor to get the scoping determined accurately because a single flaw in scoping activity might lead to the failure of the whole PCI DSS assessment.

So here are some common method used by the QSA to determine the scope of the PCI Compliance project.

  • Network diagram
  • Data flow diagram
  • Card finder tool report
  • Assessor’s experience


Network Diagram: For any project regardless of PCI DSS, Network diagram play very important role. Network diagram gives the assessor full-fledged idea about the environment of the client. Through network diagram it gets cleared which all segment is created and how these segments are communicating with each other, how internal zones are interacting with internet. With the help of network diagram an assessor does the segmentation as which segment is to be considered In-scope or Out-off scope.

PCI DSS guideline defines network segmentation as “Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. If network segmentation is in place and being used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network’s configuration, the technologies deployed, and other controls that may be implemented”.

Data Flow Diagram: The second most common method used by an assessor is data flow diagram. PCI DSS guideline has clearly mentioned the use of data flow diagram as “Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network segmentation is effective at isolating the cardholder data environment”.

Data flow diagram let the assessor determine how the data is being transmitted in the system, whether the PCI scope system are able to communicate with the NON-PCI scope system or not (remind you there should not be any communication between PCI scoped system and NON-PCI scoped system), even assessor is able to determine how the inputs and outputs relate to each other, what encryption mechanism is being used to transmit the cardholder data.

Card Data Finder Tool Report: Nowadays, card data finder tool reports are being widely used by the assessor to determine and cross-validating the defined scoped. These reports have become very useful as they let the assessor know which out-off scoped systems are storing, processing or transmitting the cardholder data.

Sometimes even the client does not know which system is in-scope or out-off scope, in those type of scenarios card data finder tool report becomes handy. Most of the assessor analyze these reports before they go to client place so that when they are on-site they are aware of the in-scoped system and focus on them and even future surprises related to in-scope and out-off scope can be reduced.

Assessor’s Experience: In scoping for PCI DSS Compliance assessment, assessor’s experience matters a lot. An assessor will combine all the above given methods output as an input for providing the final In-scoped and Out-off scoped system. An assessor will validate all the information given by the client in network diagram, data flow diagram and card finder tool report at the time of On-site assessment and based on the comparison will scope-in or scope-out the system.

As per PCI DSS guideline “Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations)”.
“For each PCI DSS assessment, the assessor is required to validate that the scope of the assessment is accurately defined and documented”.
As scoping is an initial activity it is valued the most. Hence I would like to conclude it with “Project scope definition is the most important factor when it comes to project requirements. It is vital for service providers to define the scope of the project in order to successfully enter into an agreement with the client”.


Sunil Saroj
SISA’s Latest
close slider