What PCI Requirements Apply to Us: Tackling a Common PCI DSS Compliance Challenge
When it comes to PCI DSS (Payment Card Industry Data Security Standards) compliance assessments, scoping tends to become a major challenge for our clients. We normally break down the problem of scoping into two parts:
- What system components are in scope for PCI DSS
- Which PCI DSS requirements apply to the system components
One aspect of the scoping involves determining which system components are included or connected to the Cardholder Data Environment (CDE). CDE normally includes any network component, server, or application that transmits, stores, or processed cardholder data.
Another aspect the scoping focuses on which PCI DSS requirements apply to the system components identified in the CDE.
The following rule helps with identifying the scope:
PCI DSS applies wherever Account Data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as listed below:
- Account Data
- Cardholder Data
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
- Sensitive Authentication Data
- Full magnetic stripe data or equivalent on a chip
- CAV2 / CVC2 / CVV2 / CID
- PINs / PIN blocks
The image below shows where these pieces of information can be located on an actual card:
This image was taken from PCI-SSC’s document entitled “Payment Card Industry Data Security Standard — Navigating PCI DSS — Understanding the Intent of the Requirements”
It is important to note that the defining factor in applicability of PCI DSS requirements is the Primary Account Number (PAN), also commonly known as the Credit Card number. If PAN is stored, processed, or transmitted then all PCI DSS requirements apply.
On the other hand, if PAN is not stored, processed, or transmitted anywhere in the environment, then no PCI DSS requirements apply.
Moreover, if cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply only to PAN. These two requirements are around masking and hashing/encrypting PAN.
Finally, it is also important to note that as a general rule none of the Sensitive Authentication Data can be stored in the environment at any time.