Scope and Cardholder Data

Jun 16, 2024

Scope and Cardholder Data

Introduction

  • Presenter: PE, Practice Leader at Shelman
  • Topic: Understanding scope even if not handling cardholder data directly

Common Scenarios

E-commerce Platforms

  • Implementing iframe or redirect:
    • Not handling cardholder data directly
    • Not transmitting, storing, or processing data
    • Scope: Payment scripts need protections found in SAQ-A
    • Steps to determine scope:
      • Identify scripts
      • Understand their function
      • Determine Integrity controls

Software Development

  • Developing software for other organizations:
    • Not directly handling cardholder data
    • Writing software that interacts with environments handling cardholder data
    • Compliance: Show updates to help client's compliance

Managed Security Service Providers

  • Functions: Vulnerability scanning, patching:
    • Authenticate to environments with cardholder data
    • Do not need full PCI DSS compliance assessment
    • Impact: Understand how they affect cardholder data security

Key Takeaway

  • Even if not handling cardholder data, understanding impact on its security is crucial for PCI DSS scope
  • Scope is nuanced; not one-size-fits-all

Conclusion

  • Encouragement to reach out for help with understanding scope

Contact

  • Shelman: Available to answer questions and assist