Many times, during a PCI DSS assessment, entities are inclined to consider everything that is not Cardholder Data Environment as out of scope. CDE Connected systems that have nothing to do with security (in PCI-DSS terms: Confidentiality and Integrity), like monitoring systems or databases of products, are often forgotten.
When it is time for the PCI DSS assessment, a profound sense of disenchantment appears on the PCI DSS Process Owner of the entity, after the QSA scoping.
Let’s look at one way to get her smiling again.
The PCI Council’s statement on scope
The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
There is no workaround for that “included in or connected to” connectivity may be outbound, inbound or bidirectional and with the following means:
- Physical
- Wireless
- Virtualized
And, the following statements always apply in a scoping exercise:
- Systems located within the CDE are in scope, irrespective of their functionality or reason why they are in the CDE.
- Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or reason why they have connectivity to the CDE.
- In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.
How do we take all those systems that serve my network but have nothing to do with Cardholder Data out of scope?
Simply put: use a proxy.
If your network is well segmented, an IN-SCOPE proxy will decouple the CDE and those systems that might affect the security of the CDE from the rest of your network.
A typical example is a monitoring server with an agent installed on the CDE systems. Without proxy the agent on an in-scope system would establish a direct connection with the monitoring server, bringing it into scope.
With proxy, the agent would preferably only push out information from the in-scope machine to the in-scope proxy and in turn, the proxy will forward such agent information to the monitoring server and if the monitoring server needs to connect back, will connect through the proxy server, bringing the monitoring server out of scope.
The proxy might be of use for different connections for different “servicing” systems, bringing them out of scope, therefore with just one additional system (the proxy) the scope might get much smaller and therefore the headache much less severe.
There are other ways of reducing the scope, such as Tokenization, Containers or Network Segmentation, but this folks, is another story.
