Scoping and Documentation
The accurate Scoping and Documentation of Cardholder Data Environments is critical to a project's success.
Any system that stores, processes or transmits Card Holder Data post-authorisation is in scope for PCI DSS v1.2. This applies also to any 3rd party, contractor or Service Provider whom may have access to such systems (directly or indirectly), or manage all or part of a Cardholder Data Environment.
Flat networks are a common find for a Qualified Security Asessor (QSA) and even systems not involved with Cardholder Data will end up 'in scope' if they are physically, logically or remotely connected to a Cardholder Data Environment.
It is important to consider all possibilities and uncover all parts of a business that may be, or have been, involved with Cardholder Data.
Blackfoot do this through Scoping workshops in order to obtain:
- Business role with payment cards
- Network diagrams
- Maps of Cardholder Data flow
- Description of Cardholder Data Environment/li>
- Details of wireless networks
- List of 3rd parties and service providers involved with cardholder data
- Details of pre- and post-authorisation processes