When undertaking any kind of PCI DSS assessment, whether it is a formal assessment or self-assessment questionnaire (SAQ), the most important thing is ensuring that the scope is correct. Without an understanding of the scope, systems may be overlooked and/or insufficient security controls applied. This may lead to a risk of data breach.
Conversely, an incorrect scope may mean businesses are applying security controls above and beyond what is expected of them by the PCI DSS or are applying controls on systems that should have been declared out of scope. The additional compliance effort and/or cost resulting from an incorrect assessment scope could have a significant impact on a business that has few resources.
For a step by step approach to creating network and card data flow diagrams, that will help with correctly scoping your Cardholder Data Environment (CDE) we have developed a factsheet which we recommend downloading and reading.
What should be included and what steps should be taken?
PCI DSS involves people, processes and technology. This means that any business will need to have a clear understanding of all the processes that handle payment card data, such as their face to face retail, mail order/telephone order (MO/TO) and e-Commerce payment channels. Furthermore, it also includes back-end processes such as refunds, chargebacks, settlement or reconciliation that may use cardholder data. Therefore, the first step is to understand business processes that define the cardholder data environment (CDE). Documenting all business flows where cardholder data and/or sensitive authentication data is submitted, received, handled, processed, retained, destroyed, etc. is recommended.
Once business payment card data flows have been developed identifying the people and processes, a business should then identify the underlying technology (software or hardware) that is provisioning and supporting those services. Therefore, diagrams highlighting the flows of payment card data across the systems and network(s) involved should be developed and maintained. Documenting a network diagram and diagram of cardholder data flows across systems and networks is mandatory for some SAQs and for formal assessment. These diagrams should clearly define the CDE and the assessment scope.
One key aspect, often overlooked, is systems that are not involved in payment card data handling, but which may be in-scope for PCI DSS due to their potential impact on the security of the CDE. For example, security systems that support the CDE and are involved in meeting a PCI DSS control (for example, access control systems). Furthermore, any “connected to” system; that is, any system that is connecting into the CDE systems or that is connected to by systems in the CDE are also in-scope for PCI DSS. For example, shared services, such as DNS or NTP, that provide services to systems both inside and outside of the CDE. These “connected to” systems could be used as an attack vector to impact the security of the CDE and of payment card data, so again it is vital to highlight these connected systems on any network diagrams.
At this point, a business should have identified all in-scope CDE components and any systems that could impact the security of the CDE (such as any connected systems or security systems). A robust process should be maintained to reflect these systems in a current inventory.
To summarise, it is vital to ensure sufficient time is spent identifying the scope for PCI DSS. If the scope is incorrect and includes more than it needs to, any remediation or corrections are likely to be more costly. If the scope is incorrect and excludes people, processes, systems and networks that may have an impact the security of the CDE, then cardholder data or sensitive authentication data may be insufficiently protected and at risk. Supporting documentation, such as documented business card data flows and network diagrams should clearly identify the people, process and technology. This will help highlight areas that have been overlooked and need additional controls. It will also allow better decisions to be made regarding pragmatic solutions to meet PCI DSS, if such solutions are required in order to reduce the scope for PCI DSS.
For a step by step approach to creating network and card data flow diagrams, that will help with correctly scoping your Cardholder Data Environment (CDE), fill out the form and download the factsheet – A Closer Look at CDE Diagrams