Professional Documents
Culture Documents
Pci Dss v3 - 2 - 1 Roc s3 Scope of Work
Pci Dss v3 - 2 - 1 Roc s3 Scope of Work
As noted in PCI DSS, v3.2.1 – “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by
identifying all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication
servers) to ensure they are included in the PCI DSS scope.”
Note – additional reporting has been added below to emphasize systems that are connected to or if compromised could impact the CDE.
Describe the methods or processes (for example, the specific types of tools,
observations, feedback, scans, data flow analysis) used to identify and
document all existences of cardholder data (as executed by the assessed
entity, assessor or a combination):
Describe the methods or processes (for example, the specific types of tools,
observations, feedback, scans, data flow analysis) used to verify that no
cardholder data exists outside of the defined CDE (as executed by the
assessed entity, assessor or a combination):
Describe how the results of the methods/processes were documented (for
example, the results may be a diagram or an inventory of cardholder data
locations):
Describe how the results of the methods/processes were evaluated by the
assessor to verify that the PCI DSS scope of review is appropriate:
Note – the response must go beyond listing the activities that the assessor
performed to evaluate the results of the methods/processes; the assessor
must also include details regarding the results of the outcome of those
activities that gave the assessor the level of assurance that the scope is
appropriate.
Describe why the methods (for example, tools, observations, feedback, scans,
data flow analysis, or any environment design decisions that were made to
help limit the scope of the environment) used for scope verification are
considered by the assessor to be effective and accurate:
Provide the name of the assessor who attests that the defined CDE and scope
of the assessment has been verified to be accurate, to the best of the
assessor’s ability and with all due diligence:
Other details, if applicable:
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
3.2 Cardholder Data Environment (CDE) overview
Provide an overview of the cardholder data environment encompassing the people, processes, technologies, and locations (for example, client’s
Internet access points, internal corporate network, processing connections).
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
- Describe how it was verified that the segmentation is functioning as
intended
Note – the response must go beyond listing the activities that the
assessor performed and must provide specific details regarding how
segmentation is functioning as intended.
- Identify the security controls that are in place to ensure the integrity of
the segmentation mechanisms (e.g., access controls, change
management, logging, monitoring, etc.).
- Describe how it was verified that the identified security controls are in
place
Note – the response must go beyond listing the activities that the
assessor performed and must provide specific details of what the
assessor observed to get the level of assurance that the identified
security controls are in place.
Provide the name of the assessor who attests that the segmentation was
verified to be adequate to reduce the scope of the assessment AND that the
technologies/processes used to implement segmentation were included in the
PCI DSS assessment.
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
3.4 Network segment details
Describe all networks that store, process and/or transmit CHD:
Network Name
Function/ Purpose of Network
(in scope)
Describe all networks that do not store, process and/or transmit CHD, but are still in scope (e.g., connected to the CDE or provide
management functions to the CDE):
Network Name
Function/ Purpose of Network
(in scope)
Network Name
Function/ Purpose of Network
(out of scope)
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
3.5 Connected entities for payment processing and transmission
Complete the following for connected entities for processing and/or transmission. If the assessor needs to include additional reporting for the specific
brand and/or acquirer, it can be included either here within 3.5 or as an appendix at the end of this report. Do not alter the Attestation of Compliance
(AOC) for this purpose.
3.6 Other business entities that require compliance with the PCI DSS
Entities wholly owned by the assessed entity that are required to comply with PCI DSS:
(This may include subsidiaries, different brands, DBAs, etc.)
Reviewed:
Wholly Owned Entity Name
As part of this assessment Separately
International entities owned by the assessed entity that are required to comply with PCI DSS:
Country
List all countries where the entity conducts business.
(If there are no international entities, then the country where the
assessment is occurring should be included at a minimum.)
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
3.7 Wireless summary
Indicate whether there are wireless networks or technologies in use (in or
out of scope), (yes/no)
If “no,” describe how the assessor verified that there are no wireless
networks or technologies in use.
If “yes,” indicate whether wireless is in scope (i.e. part of the CDE,
connected to or could impact the security of the cardholder data
environment), (yes/no):
This would include:
Wireless LANs
Wireless payment applications (for example, POS terminals)
All other wireless devices/technologies
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 6