Wednesday, September 5, 2012

PCI DSS Scoping Toolkit is Released

One of the most difficult and important tasks in any PCI DSS compliance assessment or gap analysis is determining your PCI scope.  That is, identifying which processes, networks, and systems are in scope for PCI compliance.  If you underestimate your scope and miss things, you put your institution at risk for a damaging and expensive data breach.  If you overestimate your scope, you may consume unnecessary amounts of money and resources.

Recognizing the importance of properly determining PCI scope, the PCI Council established a Scoping SIG in 2009.  Full disclosure: I was a member of that SIG although I played only a minor part.  While that SIG never issued its final report, the participants did a lot of good work.  Some of the SIG's insights I've shared with clients on occasion, but the report was never released.

Some of the members of the SIG have now released what they are calling the Open PCI Scoping Toolkit.  The Open Scoping Framework Group states:
The Toolkit includes a set of principles, a structured thinking process and tools to generate defensible and consistent scoping conclusions, regardless of who is performing the PCI evaluation or assessment. In the absence of such a tool, or unambiguous guidance released by the PCI Security Standards Council, questionable scoping decisions will continue to be made.
In the future, we will be expand upon the Toolkit, and present its application to some of the toughest PCI scoping scenarios, along with our suggested scoping conclusions. These include hotel front desk networks that include POS systems and guest PCs, order entry systems running on thin clients in retail stores, virtualized servers processing cardholder data, and ActiveDirectory systems providing authentication to systems processing cardholder data.
We expect that practitioners will use the Toolkit to make scoping decisions, with a level of consistency and precision that has eluded the community to date. We believe the Toolkit to be consistent with the spirit and intent of the PCI DSS.
You can also check out my StorefrontBacktalk column this week for a personal take on the toolkit.  I'll let you surf over there (no registration required) rather than repeat myself here.

Please know this Scoping Toolkit is not endorsed by the PCI Council.  However, whether you agree or disagree with the approach, I suggest you consider it as you assess your institution's own PCI scope.

No comments:

Post a Comment