CHAPTER 2: WHAT IS THE SCOPE OF THE PCI DSS?

The PCI DSS is applicable if you store, process or transmit cardholder data, or if you are responsible for third parties that store, process or transmit cardholder data. The Cardholder Data Environment (CDE) is any network that possesses cardholder data or sensitive authentication data. It does not apply to your organisation if Primary Account Numbers (PANs) – the 16-digit credit card numbers – are not stored, processed or transmitted. The PCI DSS applies to any type of media on which card data may be held – this includes not only hard disk drives, floppy disks, magnetic tape and back-up media, but also embraces printed or handwritten credit and debit card receipts where the full card number is printed. These receipts are sometimes held by merchants as a paper record of the transaction and may be used for voucher recovery purposes or as evidence of the transaction if the acquirer issues a request for information (RFI). If the card number is recorded in full, then the record is subject to the same security requirements as electronic copies, and therefore the receipts must be stored securely.

Retailers must also secure all other areas where card details may be stored, processed or transmitted. EPOS systems are worthy of particular note. While newer EPOS systems store card details securely, many older EPOS systems do not. If the equipment does not store it securely, or there is uncertainty as to whether it is secure, then retailers should take firmer measures to protect the equipment, or upgrade to equipment that meets PCI DSS standards.

PCI DSS applies to all processes, people and technology, and all system components, including network components, servers, or applications that are included in or connected to the cardholder data environment. It also applies to telephone recording technology used by call centres that accept payment card transactions. Shopping carts and payment processing facilities are examples of applications to which PCI DSS applies (also see Chapter 12 on the Payment Application Data Security Standard (PA-DSS).

While not a specific requirement, PCI DSS strongly recommends that any merchant or service provider reduces the scope of its Cardholder Data Environment (CDE). This reduces the cost and complexity of both the initial assessment and the maintenance of PCI controls. Reducing the scope is typically achieved by isolating (network segmenting) the CDE. Given the complexity of modern IT networks and applications, we would advise that you seek the advice of a qualified PCI DSS consultant prior to completing this activity.