Back on Friday December 9, 2016, the Payment Card Industry Security Standards Council (PCI SSC) released a new Information Supplement Guidance for PCI DSS Scoping and Network Segmentation. The purpose of this Supplement was to provide some clarification on how an Organization can implement network segmentation controls to minimize the scope of systems covered by PCI DSS controls.
Section Three of the Supplement provides a useful diagram (Figure 1 – PCI DSS Scoping Categories, page 10) to highlight the three Categories of systems:
- CDE Systems
- Connected-to or Security-impacting Systems
- Out-of-Scope Systems
This figure is meant to be used as a decision tree to rule out a system from inclusion, starting with the CDE systems, and working through the lower-priority classifications until a system is deemed to be out-of-scope.
This Supplement also provides some guidance on how you can verify that a system is truly out-of-scope:
- System component does NOT store, process, or transmit CHD/SAD.
- System component is NOT on the same network segment or in the same subnet or VLAN as systems that store, process, or transmit CHD.
- System component cannot connect to or access any system in the CDE.
- System component cannot gain access to the CDE nor impact a security control for CDE via an in-scope system.
- System component does not meet any criteria described for connected-to or security-impacting systems, per above.
Although you have now ruled these systems out-of-scope for the PCI DSS controls: “While it is not required to implement PCI DSS controls on out of-scope systems, it is strongly recommended as a best practice to prevent out-of-scope systems from being used for malicious purposes.” Reducing the scope of your PCI DSS environment can be a useful control in meeting your compliance obligations, it is not a security cure-all. Organizations should consider security implications of changes to the environment in the same process as evaluating the compliance impacts.
For more information, including examples of common scoping issues, please review the full Information Supplement which can be found in the PCI DSS Document Library.