we often get asked what is my scope if I don't handle card holder [Music] data hello I'm so PE a practice leader here at shelman and I'm here to talk about scope even if you don't handle card holder data directly common examples are someone who's implementing an iframe or redirect as part of an e-commerce platform well true they're not handling card holder data in terms that they're not transmitting it they're sure not storing it and they're definitely not processing it so what is their scope those payment scripts do require protections and these can be found in saqa or to break it down you have to know what they are what their function is why they're there and then identify what Integrity controls are placed upon them now those are future data controls but you get an idea of why they're there another great example would be someone who's performing softare development that spoke on behalf of another organization so I'm not the one who's handling the card holder data but I'm the one who's writing the software which lives there case in point I need to show that I am updating this software to help them fulfill their compliance needs last when we think about managed security service providers some of these are performing functions like vulnerability scanning patching if they authenticate to the environment where card holder data is housed well they don't need a full pcidss compliance assessment of their own but we do need to know how they can impact card holder data even if you don't handle card holder data looking at how you can impact the security of card holder data even in someone else's environment can usually bring you into scope for PCI DSS there's a lot of nuances here and scope is not a one siiz fits all so you have questions come talk to us we'd love to help