PCI Scope: Getting It Wrong Can Be Explosive [Video]

May 16, 2016 • Published Categories Best Practices Tags , , ,

The Moving Target of PCI Scope

You’ve got a business to run, yet today’s threat landscape demands that you quickly address your business’s security weaknesses. Effectively addressing the business’s security needs involves isolating the environment that attackers could exploit. But how can you isolate the environment if its boundaries are unclear?

Accurately Analyzing Your Risk

When it comes to accurately analyzing your risk, understanding PCI scope is critical. This alone can be a daunting task.

PCI scope is the totality of how your organization’s people, processes and systems interact with PAN data (your customers’ 16-digit credit card numbers). Scope is a moving target because, as your organization grows and changes over time, so does your organization’s PCI scope.

During times of rapid change, it can be easy to lose track of your company’s PCI scope. Change includes allowing vendors, partners or clients to connect to your network; upgrading or changing to new systems; adding or losing employees; merging with or spinning off business units; a sudden spike or drop in business; and moving employees around within the organization.

There are times when a company has several of these internal changes happening at the same time and in all likelihood its scope has grown without anyone knowing how or where.

Defining the Boundaries

PAN data can end up being stored in or transiting through components of your infrastructure that no one ever suspected would even remotely touch it. That’s a problem because you can’t protect something you don’t even realize needs protecting, and you can’t properly assess risk if you’re not looking at where the risks are located.

This is where the value of a third-party IT risk assessment is apparent. An independent assessor finds the boundaries of your company’s scope and works with you to build your understanding of how your business processes impact that scope.

Watch the following short video to learn more about scope and the role of the IT risk assessment:


Need to get a better handle on your organization’s PCI scope?

ControlScan has the experts to help. Be sure to subscribe to this blog for additional tips and webinar announcements.

Leave a Comment