by Jason McWhirr, Information Security Consultant
One of the most important (and underused) first steps for any business or service provider when undertaking PCI DSS is to understand how cardholder data is used within their organisation, its people, departments, and systems. Without first knowing this, it is impossible to know which parts of their organisation are in scope for PCI DSS requirements and which are not.
Documentation of this environment using a network diagram is actually mandatory for some questionnaires (SAQ B-IP & D), but is best practice for all organisations as it can then be used as the central document that everyone can reference, to understand where card payments are taken, by who, where stored/processed/transmitted, who has access to this data, internally and externally.
The Cardholder Data Environment (CDE) of an organisation and all PCI DSS requirements/questions should be aimed at this defined PCI DSS scope when defining and completing the correct SAQ questionnaires. Generally speaking, the smaller the PCI DSS scope the easier it is to comply, saving money, so it is in an organisations best interest to know!
Defining the CDE not only helps your clients with completing/complying with PCI DSS but also visibly highlights cardholder data within an organisation to key employees, and can highlight areas that could get forgotten, need further protection, or better controls.
To help your clients better understand how to create a Cardholder Data Environment (CDE) diagram, Sysnet have created a whitepaper entitled A closer look at req 1.1.2 Cardholder Data Environment, to describe what is required, and how to document this correctly.
If you are a merchant that requires technical or PCI DSS help, please click here