Determining the Scope of the Cardholder Data Environment: Don't Leave Data Out of the PCI Compliance Assessment

Angie Hipsher-Williams
| 9/24/2015
RISK-16005-015D Blog Post 2 -Creative Option

Why is it so hard to figure out the scope of a PCI compliance assessment? Seems straightforward enough, right? In the Payment Card Industry Data Security Standard (PCI DSS), the PCI Security Standards Council has defined and redefined scope for everyone, but many companies still don’t understand how best to determine the range of what is covered by the assessment. One reason it is so difficult is that no two networks, Web applications, or point-of-sale (POS) systems operate and communicate in the same manner. When you put people into the mix of process and communication, defining what is in scope becomes even more of a wild card.

So, let’s break down the scope of a PCI compliance assessment by defining some terms – and in the process identify the areas that should be in the scope but often are unknown, forgotten, or simply ignored.

Cardholder Data

Cardholder data is the data on any payment card (credit, debit, gift card, flexible spending, prepaid, and others) that has a Visa, MasterCard, Discover, American Express, or JCB logo on it. “Cardholder data” in general refers mainly to the primary account number (PAN), but when paired with the account number, any of this information also becomes “cardholder data”:

  • Card expiration date
  • Card verification value (CVV, the three- or four-digit authentication number)
  • Track data (from the card’s magnetic stripe)

Bear in mind that any card, whether past its expiration date or not, is considered “live” or “active” unless the card issuer has confirmed that the card has been canceled. So new, old, and archived cardholder data are all in scope. Just ask T.J. Maxx, which found out the hard way.1

Cardholder Data Environment

Keeping the definition of cardholder data in mind, let’s move on to the cardholder data environment (CDE), which is the environment on which a PCI compliance assessment should be focused. In other words, the CDE is equivalent to the scope of the assessment.

So, yes, as the council states, the CDE is all the components – vendors, people, and processes – of all the systems that store, process, and transmit cardholder data.

But the CDE also includes all systems that are connected to those systems or that can otherwise affect the security of cardholder data. These are not just the systems that are known to be storing cardholder data. Neither is the CDE just the virtual local area network (LAN), where all the systems that store, process, and transmit cardholder data are physically placed. It is all that but much more.

You have to consider all of the systems, including the POS system (I know I shouldn’t have to say that, but trust me the POS system often is ignored), that are connected to the environment you consider in scope. These connected systems might include management systems such as anti-virus consoles, patch management servers, access management systems, and central logging servers.

Equally as important as the management systems are nontransactional systems that can communicate with the CDE without passing along cardholder data. These systems may include reporting servers, which pull inventory data but have nothing to do with cardholder information. Because the nontransactional systems communicate with systems in the CDE, it could be possible for the nontransactional systems to affect the security of the systems that handle cardholder data. Therefore, nontransactional systems should be considered when determining the PCI compliance assessment scope.

Just as the CDE includes all systems connected to the systems in scope, the CDE includes all the vendors, people, and processes that interact with any connected systems that are storing, processing, and transmitting cardholder data. Vendors, for example, may extend the network that you should include in scope while assessing PCI compliance. An HVAC vendor that monitors heating and cooling on your network may open a hole to the outside world that you haven’t considered before.  

The CDE also includes all the ancillary systems employees use to send or store cardholder data for future use or record-keeping. These may include systems such as fax servers, email networks, networked file shares, hard drives, and free-form text boxes in customer relationship management applications where employees enter notes about a client. Even office vending machines that accept credit cards may sit on the network. In short, the CDE extends to lots of places you wouldn’t expect it to.

Cardholder Data Hunt

So to determine the scope of a PCI compliance assessment, you have to go on a cardholder data hunt. Talk to the people who are handling payments, follow the bread crumbs to ancillary systems, and really understand where the cardholder data is. If you don’t know where it is, then you can’t secure it; if you can’t secure it, your organization is probably out of compliance – and putting data at risk.

1TJX, the parent company of T.J. Maxx and other retailers, said in 2007 that hackers had compromised the information of 94 million customer accounts when they accessed an archive of cardholder data that had been placed on an unprotected segment of the network.