We cannot teach people anything; we can only help them discover it within themselves. [Galileo Galilei, Father of modern science]
What Galileo Galilei wrote in the Dialogue on the Two Chief World Systems, which described differences and overlaps of Ptolemaic and Copernican systems, can be food for thought with the latest information supplement that the PCI SSC published in December:
Finally, a bit of light is shed on the scoping exercise, especially considering that the OPEN PCI DSS SCOPING TOOLKIT has never been recognized as an official document and is kind of outdated (latest release is from 2012).
The information supplement provides advices and a structured approach to what can be considered in scope for PCI DSS, what can be considered out-of-scope, as well as how to reduce scope.
Particularly interesting is the case related to the work station used to connect to a Jump Host that in turn connects to the CDE.
I will not dig too much into the details of the case, since it is already well described in the info supplement. I will however, provide a picture from the document as per below:
The ADMIN WS is in scope, or isn’t it? Why? Which PCI DSS requirement would eventually be applicable? And why?