Define PCI Scope Starting with Network Diagrams

One of the hardest things to do in business is to have a clear understanding and comprehensive plan with regards to Payment Card Industry Data Security Standards (PCIDSS).

Merchants, ISOs, and ISVs give a nod to the importance of the data security in this arena, however they often misunderstand the nuances of what is truly involved in such a vital and complex effort. The key to success, originates in a proactive stance with real world policies and procedures that transcend the click of an annual attestation checkbox. These strategies should be organically baked into every action the business engages with. In contrast to the correct approach, this topic is widely viewed as an inconvenience, a burden, or an illegitimate fee on a processing statement, that is until it is too late.

Considering the magnitude of this project, where are we to begin? Draw a line in the sand!

Defining PCI Scope is a foundational bedrock upholding the development and maintenance of any comprehensive PCIDSS program.

Here is what you should be thinking:



Break out the Visio and capture the entire infrastructure into at least two high level diagrams, namely the Network Diagram and the Data Flow Diagram. Visually, these documents will serve as valuable tools to manage PCI Scope as well as serve as the evidence basis for developing the necessary policies and procedures. Document everything! Clearly represent which items are “In Scope” (including “Connected To”) and which components are “Out of Scope”. Map the flow of cardholder data throughout the infrastructure.

At this stage in the process, two major techniques, Segmentation and Third-Party Service Provider Outsourcing, will surface which can drastically Reduce PCI Scope. Reducing Scope means less cost, complexity, and risk, but it does not mean less responsibility. Merchants remain responsible for understanding their own PCI Scope and Attestation of Compliance even if the entire cardholder data environment is outsourced to a qualified provider.

Every business on Earth should have these two diagrams on hand. Some will have little to no “In Scope” segments by leveraging qualified service providers with a seamless approach. Others will boast complex infrastructure designs with combined physical and logical controls to mitigate risk and demonstrate robust compliance initiatives. In either case, not understanding or thinking that this is someone else’s responsibility is unacceptable. Build your diagrams and review them at least annually, but more often in frequency with a proactive mentality is the better approach.

You are not alone! Reduce Scope whenever possible by leveraging qualified service providers. Take control of your data security posture and enhance consumer confidence and safety!

Original Post:  See it on LinkedIn

By Jason Estes
September 30, 2021
Leave a comment

Want to learn more about iCheckGateway?