Security Blog

The scope of PCI-DSS universe

We cannot teach people anything; we can only help them discover it within themselves. [Galileo Galilei, Father of modern science]

Galileo GalileiWhat Galileo Galilei wrote in the Dialogue on the Two Chief World Systems, which described differences and overlaps of Ptolemaic and Copernican systems, can be food for thought with the latest information supplement that the PCI SSC published in December:

Guidance for PCI DSS Scoping and Network Segmentation.

Finally, a bit of light is shed on the scoping exercise, especially considering that the OPEN PCI DSS SCOPING TOOLKIT has never been recognized as an official document and is kind of outdated (latest release is from 2012).

The information supplement provides advices and a structured approach to what can be considered in scope for PCI DSS, what can be considered out-of-scope, as well as how to reduce scope.

Particularly interesting is the case related to the work station used to connect to a Jump Host that in turn connects to the CDE.

I will not dig too much into the details of the case, since it is already well described in the info supplement. I will however, provide a picture from the document as per below:

Jump Server to CDE

The ADMIN WS is in scope, or isn’t it? Why? Which PCI DSS requirement would eventually be applicable? And why?

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100