Scope and Cardholder Data

Introduction

• Presenter: PE, Practice Leader at Shelman
• Topic: Understanding scope even if not handling cardholder data directly

Common Scenarios

E-commerce Platforms

• Implementing iframe or redirect:
  • Not handling cardholder data directly
  • Not transmitting, storing, or processing data
  • Scope: Payment scripts need protections found in SAQ-A
  • Steps to determine scope:
    • Identify scripts
    • Understand their function
    • Determine Integrity controls

Software Development

• Developing software for other organizations:
  • Not directly handling cardholder data
  • Writing software that interacts with environments handling cardholder data
  • Compliance: Show updates to help client's compliance

Managed Security Service Providers

• Functions: Vulnerability scanning, patching:
  • Authenticate to environments with cardholder data
  • Do not need full PCI DSS compliance assessment
  • Impact: Understand how they affect cardholder data security

Key Takeaway

• Even if not handling cardholder data, understanding impact on its security is crucial for PCI DSS scope
• Scope is nuanced; not one-size-fits-all

Conclusion

• Encouragement to reach out for help with understanding scope

Contact

• Shelman: Available to answer questions and assist