This page supplements our newsletter #9 - Defining the Scope of the PCI assessment
In terms of scope definition here is what PCI says:
PCI DSS requirements apply to all system components, defined as any network component, server, or application that is included in or connected to the cardholder data environment (CDE). The scope of a PCI DSS assessment could be reduced using adequate network segmentation but what is an adequate segmentation?
PCI SSC recently clarified that to be considered, “adequate,” segmentation must isolate systems that store, process, or transmit cardholder data from those that do not in such a way that the latest ones (out of scope systems), even if compromised, cannot impact the security of the former ones (in scope systems).
In other words, if a system component can impact in any way and at any level the security of the CDE, this system component must be considered in scope for the PCI DSS assessment.
PCI SSC states that restricting access by IP or port, (through a firewall for instance) does not automatically remove systems/networks from scope since there is still connectivity.
In such conditions is the physical separation of network environment not the only certitude of an adequate segmentation? As usually PCI SSC gives the last word to the QSA who should confirm that a system cannot impact the security of the CDE before determining it is out of scope.
This clarification of the term, “adequate segmentation,” brings another question: How does one validate that a system cannot impact the security? Hopefully, PCI SSC is working on additional guidance.
Is encrypted data considered out of scope?
PCI SSC clarified that by default encrypted cardholder data is in scope for PCI DSS since it can be decrypted with the right cryptographic key. Even storage of encrypted data without access to the decryption keys does not automatically result in the data, or the merchant, being out of scope. So in which conditions can an entity remove their encrypted data from the scope?
According to PCI SSC encrypted data may be deemed out of scope for a particular entity if, and only if, it is validated that the entity does not have the ability to decrypt it, meaning:
that the entity does not have cryptographic keys anywhere in their environment and that the entity's systems, processes, or personnel do not have access to the environment where decryption keys are located and do not have the ability to retrieve decryption keys. Now PCI SSC has to clarified what are the "validation" mechanisms.
All applicable PCI DSS requirements apply if encrypted cardholder data is stored on a system or media that also contains the decryption key or if encrypted data is stored in the same environment as the decryption key or if encrypted data is accessible to an entity that also has access to the decryption key.
In all circumstances, systems performing encryption and/or decryption of cardholder data, and any systems performing key management functions, are always considered in scope.
How do these clarifications impact your PCI Journey?
Have you read our previous newsletter? - PCI 30 seconds newsletter # 23 – Introduction to Risk Assessment