Everything you need to know about PCI DSS scope from Good Will Hunting and ‘Coop’
If you are involved and in IT and deal with payments, you certainly know about the Payment Card Industry Data Security Standard (PCI DSS). As a member of the PCI Dream Team, along with Art “Coop” Cooper, Jeff Hall, and David Mundhenk, we have been doing webinars and conferences about PCI for about 3 years.
A question that often comes up quite often during a PCI audit, and within our webinars, is about PCI scope and segmentation. Not just a question, people often like to vent and complain that their QSA is making their scope so large. David and I wrote Network Segmentation and PCI Compliance on the topic, and at almost 2,000 words, we covered the topic in detail.
As any QSA can tell you, clients will often be at their most creative element when they try to define what their cardholder data environment (CDE) scope is, and isn’t. This is because the smaller the scope, the less work they and the QSA have to do. Clients will often do contortions in describing their networks, to have much of it deemed out of scope. While creativity is a good thing, their attempts to explain away how their networks transmitting cardholder data (CHD) and thousands of devices storing CHD are somehow out of PCI scope can often border on the delusional.
While David and I did (in my humble opinion), a superb job on laying out the minutiae of defining CDE scope, perhaps the best definition of PCI scope comes from our fellow Dream Team member and PCI expert Art “Coop” Cooper.
Coop cut to the chase and used an approach similar to the courtroom scene in the 1997 classic Good Will Hunting. That scene finds Will Hunting, played by Matt Damon, facing down Judge Malone in court. After Will Hunting using a most creative legal defense attempts to be found not guilty, Judge Malone gets to the heart of the matter when he stares Hunting down and says, “you hit a cop, you’re going in.”
With that, determining what your CDE is, comes down to this, as Coop astutely noted, “follow the cardholder data. Wherever it goes, that is your initial scope. Then figure out what connects to all of that, and you have your final scope”.
In those 27 words, Coop stops all the contortions, denials, inventions, and more of what constitutes a CDE. If you don’t want your CDE to include thousands of devices, hundreds of endpoints, and all of your data center equipment, you should not have let it grow to that in the first place.
You may not like the fact that your PCI scope is massive, and your ensuing PCI assessment will cost a fortune. But explaining it away will get you nowhere. Just ask Coop.