Understanding PCI DSS Scope

Understanding PCI DSS Scope


The PCI DSS scope relates to everything that is related to the cardholder data environment (CDE). This means that both the physical as well as electronic environment should be catered for against the PCI standard. This includes people, technologies, networks, applications, and everything that has a direct or indirect role in storing, processing or transmitting cardholder information.

What constitutes the PCI DSS Scope?

To understand what falls under PCI DSS scope, the following must be considered:

  1. The PCI DSS requirements relate to every single component of the system which directly or indirectly forms a part of the cardholder data.
  2. The CDE or Cardholder Data Environment consists of the people, processes and technology that is involved in handling the data.
  3. The standard is also applicable to any other system that is responsible for the security of the systems already in scope, such as log management, IDS management and authentication systems.

How Can You Determine the Scope?

To assess the PCI DSS scope for your organization, the foremost step is to determine the cardholder data environment (CDE). Though it may seem easy to determine the CDE at first, it can turn out to be a difficult task for even very small organizations. Therefore, it is important to understand exactly what to consider when determining the Cardholder Data Environment.

To determine the scope of PCI DSS, following steps need to be taken:

  1. Identify and document the flow of cardholder data. All applications storing the cardholder data along with other involved applications must be identified.
  2. Build up a network diagram that shows all the access points, firewalls, servers, switches and other network devices.
  3. Scan the network to verify that the cardholder data is not present anywhere other than the CDE defined by the organization. You can do this with Data Loss Prevention (DLP) technology or with the help of a number of free or open source utilities provided by various vendors. The scan can also be done manually in case your organization does not want to invest in a database scanning utility.
  4. Securely delete and migrate any data that is found out to be not included in the currently defined CDE after the scanning process and redefine the CDE.


Confusions Regarding PCI DSS Scope Determination

Organizational Networks

Organizational networks that are used to transmit cardholder data are naturally in scope of PCI DSS. This is easily understood and accepted widely. However, confusion arises when encrypted data becomes the subject of the matter. Service providers argue that because cardholder data is encrypted, it does not come under the scope of PCI DSS. What they fail to consider are the encryption endpoints. It is important to note here that the endpoints of encrypted information always come under the scope of PCI compliance. This is necessary for the QSA as they need to check for the compliance at the sender and receiver end, and not only the connecting medium between the two.


All applications that are involved in storing, processing or transmitting cardholder data come under the scope of PCI DSS. However, there still exist many confusions about various entities that are related to these applications and make it hard to determine if they fall under the scope or not. To minimize this confusion organizations are now more inclined towards taking help of application packages through vendors. This allows them to understand cardholder data flow process in a better way. Although the PA-DSS has been a big help in getting these data flow diagrams, still, there are many credit card applications that do not supply any such diagrams.

Another confusion is faced with two application packages are integrated with each other. This makes it hard to determine if the cardholder data is in readable format or if it is encrypted during integration. Yet again, the integration consoles, however, are based on browsers and anyone in the network can easily access the information. So they should also be considered under PCI DSS scope.

How to Reduce the Scope of PCI DSS?

For achieving PCI DSS compliance easily, reducing scope is important. Following ways can help in reducing PCI scope.

Network Segmentation

The most effective way to reduce PCI compliance scope. In this process, cardholder data is isolated from the rest of the network. This means logical isolation through a firewall or with the help of router that has restricted access. It could also mean physical separation of networks. If network segmentation is not applied, then the entire network comes under the PCI DSS assessment scope. The network segmentation should be done in such an accurate manner that even if an out-of-scope entity is compromised, it brings no harm to the information concerning the cardholder data. If network segmentation is used as a means to limit the scope of PCI DSS, the SQA must verify that it is correctly serving this purpose.


Tokenization is a process in which a string of text is broken up into random words, numbers or symbols known as tokens. With the help of the tokenization, the Permanent Account Number (PAN) of a card is replaced by a token that cannot pose any security threat to the cardholder data even if it goes in the hands of a malicious individual.

The difference between tokenization and conventional encryption method is that in the encryption process the sensitive information is encrypted and the cipher text returns to the original place. With tokenization however, a substitute value is returned instead of original data. This token serves as a reference to the actual cipher text. The process of tokenization and de-tokenization should take place in a well defined system consisting of approved applications.

How Does Tokenization Work?

  • The user accesses the application and authenticates himself by providing the PIN.
  • The application stores this information and passes along the PAN with the PIN to verify.
  • The tokenization system checks for the authentication of the information provided.
  • If the information provided is not authenticated, the tokenization process terminates.
  • If the information is authenticated, a new token is generated with a PAN which is mapped with the vault PAN.
  • The token generated is sent back.

How Does De-tokenization Work?

  • The user accesses the application and authenticates himself by providing the PIN
  • The application stores this information and passes along the PAN with the PIN to verify
  • The tokenization system checks for the authentication of the information provided
  • If the information provided is not authenticated, the tokenization process terminates.
  • If the authentication proves successful, the card data vault is checked for any records related to the token and the PAN is retrieved.
  • The tokenization system then returns PAN value that was retrieved in the earlier step.

How does Tokenization help reduce PCI DSS Scope?

  • A token cannot reveal actual data value under any circumstances. Token and data value are only related to each other in the form of a reference. If tokens are accessed by an outsider, it does not bear any threat to the organization. The actual encrypted data is saved in a centralized data vault and a token is only a representation of that. Whenever an application needs to access that sensitive cardholder data, it has to generate a request through the tokenization process.
  • With tokenization, there is a lesser distribution of cryptographic keys. With lesser risk of a key being compromised, the scope of PCI DSS can be minimized. However, if the generation of a token is based upon cryptographic keys, then it is important to securely manage the keys as a breach of security of keys can result in the tokens being compromised.
  • In tokenization process, the original or encrypted form of the cardholder data is stored in a vault and is never exposed.