While the Payment Card Industry (PCI) Data Security Standard (DSS) arguably does a better job than most standards in defining scope, there is one part of the DSS that needs to be clarified. The DSS determines scope in terms of “system components,” which it defines as follows.
The PCI DSS security requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment. “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. (emphasis mine)
Thus, a “system component” is part of the cardholder data environment (CDE) if either of the following conditions are met:
(1) the system component stores, processes, or transmits cardholder data, or
(2) the system component is “connected” to another system component that does satisfy condition (1).
The DSS does not explicitly what condition (2) means, however. The purpose of this post is to fill that gap by interpreting (2).
For purposes of interpreting the PCI DSS, a system component satisfies condition (2) if any of the following apply:
(a) The system component is on the same VLAN as a system component that stores, processes, or transmits cardholder data,
(b) The system component provides a security-related service for a system component that stores, processes, or transmits cardholder data.
Examples of security and security-related services include, but are not limited to:
- DNS server (cf. req. 2.2.1),
- key management server (cf. req. 3.5-3.6),
- anti-virus software management server (cf. req. 5),
- web application vulnerability scanner (cf. req. 6.6),
- identity and access management servers (such as Active Directory, LDAP, RADIUS, TACACS, etc.) (cf. requirements 7 and 8),
- centralized logging (cf. req. 10),
- NTP or other synchronized time server (cf. req. 10),
- network- or infrastructure-based vulnerability scanner (cf. req. 11.2),
- network IDS/IPS (cf. requirement 11.4),
- host-based IDS management console (cf. requirement 11.4), and
- file integrity monitoring management server (cf. requirement 11.5).
If the above analysis is correct, I think this eliminates most of the ambiguity in defining the scope of the Cardholder Data Environment (CDE).
In my opinion, the one remaining ambiguous element in all of this is the word “processing.” I think there are two reasonable ways to interpret the word “processing.” (1) “Processing,” in what we might call the ‘computer science’ sense of the word, means the CPU of a system component performs some sort of operation on or with the data. (2) In what we might call the ‘financial’ sense of the word, “processing” means the system component performs a transaction on one or more Personal Account Numbers (PANs), such as taking a payment, issuing a credit, making an inquiry, or so forth. In my opinion, there isn’t sufficient evidence to favor one interpretation over the other. The PCI Security Standards Council hasn’t published any guidance that clarifies which of these two approaches is the correct or intended method.