The PCI Standards Security Council provides concrete direction:
“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.”
The associated documentation that will support you in this scoping process should include your internal vulnerability and discovery scans that includes your entire internal IP address range scope. This helps have an updated inventory of devices that are alive on your network. Additionally, the security council's guidance document states that you need to know how the flow of Cardholder Data (CHD) flows through those devices you just discovered. Useful documentation for this requirement is your Data Flow Diagram. We recommend to review your data flow diagram and asset inventory quarterly for changes as well as your scanning documentation to ensure new devices have been validated as known and have a purpose.
Lastly lets have a quick look at “connected to” systems. "Connected to" systems are systems that do not process, transmit or store CHD but are connected to systems that do and if compromised, permit lateral movement through your CDE. The Data Security Standards Council makes this a distinction.
“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.”
The associated documentation that will support you in this scoping process should include your internal vulnerability and discovery scans that includes your entire internal IP address range scope. This helps have an updated inventory of devices that are alive on your network. Additionally, the security council's guidance document states that you need to know how the flow of Cardholder Data (CHD) flows through those devices you just discovered. Useful documentation for this requirement is your Data Flow Diagram. We recommend to review your data flow diagram and asset inventory quarterly for changes as well as your scanning documentation to ensure new devices have been validated as known and have a purpose.
Lastly lets have a quick look at “connected to” systems. "Connected to" systems are systems that do not process, transmit or store CHD but are connected to systems that do and if compromised, permit lateral movement through your CDE. The Data Security Standards Council makes this a distinction.
What are "Shared Services"?
