PCI DSS Scoping and Segmentation

Published on : 25 Jun 2020

PCI DSS scoping and segmentation

Listen The Audio Version


PCI DSS Security Standards have for long been a hot topic of discussion in the industry. It may seem quite confusing and intimidating, as many organizations fail to understand its requirements and area of application. Organizations are struggling to understand the application of PCI DSS controls and identify systems that need to be secured.  However, in this document, we have put together a detailed guide that shall help you understand the ins and outs of PCI DSS Security Standards and Compliance for your business.  This document will work as a guide for organizations to identify systems that need to be included “in-scope” for PCI DSS. Further, the document helps understand how segmentation can help reduce the number of systems that require PCI DSS controls.


What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of Security Standards formed in the year 2004 by 5 major credit card companies also known as card brands namely, Visa, MasterCard, Discover, JCB and, American Express. Governed by the Payment Card Industry Security Standard Council (PCI SSC), the set policy and procedure intend to optimize and secure credit, debit and, cash card transactions. This shall help protect cardholders against data fraud, data theft and, misuse of personal information. However, PCI SSC has no legal authority to compel Compliance. But if you intend to offer any processes concerned with the 5 card brands such as issuing, acquiring, authorisation, clearing, settlement or even as a service provider to these processes, then you need to be certified PCI DSS. This specially applies to both merchants and service organisations. PCI Certification is the best way to secure sensitive data/information and help businesses establish a sense of trust with their customers.

Who needs to be a PCI DSS Compliant? 

PCI DSS applies to all entities who are involved in the card payment process including merchants, processors, issuers and, service providers. This is also applicable to all entities who store, process or, transmit cardholder data and/or sensitive authentication data. Even organizations providing services that  impact the security of the cardholder data environment, are required to be PCI DSS Compliant. 


What is the scope of the PCI DSS Compliance?

Once you begin the journey of PCI DSS Compliance, you need to primarily identify the scope to which it applies. However, one should bear in mind that they cannot define the scope as per their business priorities or budgets as generally obsereved in ISO projects. 

Given below are systems to which PCI DSS Security requirements may be applicable.


1. System Components

The PCI DSS security requirements apply to all system components included in or connected to the Cardholder Data Environment (CDE). “System components” includes all network devices, servers, computing devices, and applications. So, any system component that stores or processes, or transmits payment card information are considered as a part of CDE. One of the best ways to determine the CDE is to document or map the way how payment information flows throughout the environment. This will help you determine all systems and system components that are subject to PCI Compliance.

2.Systems within the network

Systems that fall inside the same physical or logical network are also a part of the CDE. So, systems cannot be easily excluded on grounds that systems do not store, process or, transmit payment card information.


PCI DSS is also applicable if you are responsible for third parties that store or process or transmit credit card information. So, for instance, a web hosting company that hosts an e-commerce website that stores or processes or transmits cardholder data falls “in scope”. So, in this case, the web hosting company is obliged to be PCI DSS Compliant. In such a scenario, it the responsibility of an E-commerce company to check whether the web hosting company is PCI Compliant or not, once a year. In case the vendor is not PCI DSS Compliant, and if the company  still wish to continue working with them, then it is their responsibility to ensure the vendor is compliant.

Note- Every PCI DSS security requirements/control apply to people, processes, and technologies that interact with or impact the security of CHD (Card Holder Data).


free consulting

The objective of PCI DSS Compliance

We have listed down 6 primary goals/objectives of being PCI Data Security Standard Compliant and they are as follows:

1.Build and Maintain a Secure Network

One of the main objectives of being PCI DSS Compliant is to ensure that the organization builds and maintains a secure network that protects all confidential data. 

Ways to achieve it

  • Install and maintain a firewall configuration to protect cardholder data. 
  • Avoid using vendor-supplied default system passwords and other security parameters. 

2. Protect Cardholder data

Protecting Cardholder data is the main focus and top priority. Ensuring Compliance limits the possibility of cardholder data breach/ data theft.

Ways to achieve it

  • Secure stored Cardholder Data
  • Encrypt transmission of Cardholder Data across networks

3. Maintain a Vulnerability Management Program

Compliance with PCI DSS will ensure that the organization has in place a Vulnerability Management Program that helps strengthen the network and protect data.

Ways to achieve it

  • Keep a regular check on the system and update anti-virus software or programs in it. 
  • Develop and maintain secure systems and applications.

4.Implement Strong Access Control Measures

PCI DSS requirements will ensure organizations implement strong access control measures to prevent unauthorized access and misuse of data. 

Ways to achieve it

  • Limit access to only authorized persons for accessing Cardholder Data. 
  • Provide a unique ID to every authorized person having access to the system. 
  • Restrict physical access to Cardholder Data.


5. Regularly Monitor and Test Networks

Compliance with PCI DSS will ensure regular monitoring and testing of the network. 

  • Conducting regular monitoring, tracking, and testing activities on all access points to network resources and cardholder data. 

6.Maintain an Information Security Policy

Organizations will develop and maintain an Information Security Policy as per the requirements of PCI DSS Compliance.

Ways to achieve it- 

  • Frame a detailed policy that addresses the organization’s Information Security issues. 

Understanding PCI DSS Scoping & Segmentation

The PCI Security Standards Council (SCC) in the year 2016 December released a supplemental guide for scoping and network segmentation. The purpose of this guide was to help organizations determine systems “in scope” for PCI DSS, and understand how segmentation can reduce the number of in-scope systems. The objective was to help organizations protect their data from potential risks/threats, which involve targeting system with fewer security controls and get access to sensitive cardholder data for a possible higher security systems breach. However, for an easy understanding, we have simplified the document detailing PCI DSS Scoping and Segmentation for our readers. So, before getting deeper into the Compliance aspect, let us understand what PCI DSS Scoping & Segmentation means. 

What defines Scoping?

The PCI Security Standards Council (PCI SSC) defines “scope” as that part of your environment which must meet the control objectives stated in the PCI Data Security Standard (DSS).  Simply put, three components define Scope and they areStorage, Processing, and Transmitting. So, any system that stores processes, or transmits payment card details fall within the scope for PCI Compliance. One of the best ways to determine systems “in scope” is by mapping out the payment data flow throughout your environment. This will accordingly determine all the systems that are subject to PCI DSS Compliance. To reiterate, wherever the criterion for scoping as described above applies, that is the scope. A company cannot by itself define what can be included for now and what can be “taken up later on”.


PCI DSS Scope Categories

PCI DSS Scope can be classified into different categories. Scoping can be defined under three different categories which clearly state whether the system is “in scope” “connected-to-system in scope” or “out-of-scope”.

Systems considered “In-Scope”

Systems that are directly involved, connected, or impact the security of the cardholder, falls within the scope of PCI DSS. 

  • Systems storing, process, or transmitting Cardholder Data (CHD) and Sensitive Authentication Data (SAD). 
  • Systems that do not store, process, or transmit Cardholder Data, but fall in the same or adjacent network. 

Directly or Indirectly ‘Connected-to or security-impacting’ systems components: 

  • Systems that directly or indirectly connect or have access to the CDE (example a system connected via a jump server). 
  • Systems that impact the configuration or security of the CDE (for example a server providing name resolution (DNS) for the CDE). 
  • Systems that provide security services to the CDE (example identification & authentication server like an Active Directory).  
  • Systems that support PCI DSS requirements or provide segmentation of the CDE from out-of-scope systems. 

Systems considered “Out-of-Scope”

“Out-of-scope” is an explicit criterion which a system should meet for it to be considered out of the PCI DSS scope. So, if and when the system falls out-of-scope, it will not require PCI DSS controls. All of the below-given criteria should be met to fall in the category of “out-of-scope”:

  • Systems that do not store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD);
  •  Systems do not fall in the same network segment as systems that store, process, or transmit CHD or SAD; 
  • Systems that do not have direct and indirect access to any system in the CDE; 
  • Systems that do not directly or indirectly impact security control of CDE;
  • Systems that do not meet or fall in the criteria described as connected-to or security- impacting systems.

Note- If an organization fails to meet all of the above-mentioned criteria, then the system component shall by default be considered “in-scope” for PCI DSS. The PCI Council has made it clear that “Systems connected” are also considered in-scope, and all PCI DSS requirements shall apply to any system connected to the CDE.

Why is Network Segmentation essential? 

Understanding PCI DSS Compliance and Network segmentation are very critical because it helps merchants and other service providers segment their information systems, and minimize the effort necessary to meet PCI DSS requirements for securing cardholder data. Given below are some good reasons why Network segmentation is essential for an organization-

  • Network Segmentation reduces the scope and complexity of card-processing networks and data management processes.
  •  It ensures the company only store sensitive cardholder data in specific locations and limit access to only individuals who need it. 
  • It is an essential security practice for companies who wish to protect cardholder’s data and also reduce its PCI DSS Compliance scope. 
  • Network Segmentation helps reduce costs associated with your PCI Assessment. 
  • Network Segmentation improves data security and limits or reduces the possibility of data breach/data theft. 
  • The process also makes it easier to spot anomalies within each distinct network. 
  • Effective Network Segmentation can also prevent “out-of-scope” systems from overlapping with systems in the Cardholder Data Environment.

Closing thought –

When it comes to scoping for PCI DSS, the best approach to it is assuming that everything is in scope until verified. Further, determining that a system is out-of-scope does not imply that the system is secure and needs no protection. A system that does not fall “in-scope” for PCI DSS may still pose a threat to the CDE (as a part of domino effect) and the organization as a whole. As an expert in the Infosec industry, I have noticed a common pattern in the data breach, wherein an attacker always strives to first target systems deemed out-of-scope for PCI DSS.

While payment card data details are one set of confidential data that needs to be secured, companies also have a legal responsibility to protect and secure any personal data of their client. So, as a comprehensive measure for securing all confidential data, I strongly recommend PCI DSS as an appropriate measure to secure not just the data of payment cardholder, but also other sensitive and confidential data in an organization’s network/system.  Implementing best security control practice will help organizations protect their infrastructure and other system components that are deemed to be “out-of-scope” as per PCI DSS requirements.

Watch the webinar on PCI DSS Scoping and Segmentation

Speaker: Narendra Sahoo











Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.