Back to books home

Volume 2 - PCI DSS Scoping

  • 2.1 Volume Introduction
  • 2.2 Scoping
  • 2.3 It all starts with data
  • 2.4 PCI DSS Scoping explained
  • 2.5 Scoping categories
    • 2.5.1 First Category: CDE systems
      • 2.5.1.1 CDE/CHD
      • 2.5.1.2 CDE/Contaminated
    • 2.5.2 Second category: Segmenting (previously called CDE/Segmenting)
      • 2.5.2.1 CDE and Segmenting system analogies
    • 2.5.3 Third category: Connected systems
      • 2.5.3.1 Connected/Security
      • 2.5.3.2 Connected/Communicating Systems
      • 2.5.3.3 Connected/Indirectly
    • 2.5.4 Fourth category: Out-of-scope systems
    • 2.5.5 Categories Summary
    • 2.5.6 Scope Identification approach and Scope Documentation
    • 2.5.7 PCI Resources Simplified PCI DSS Scoping Model and Approach
    • 2.5.8 Comparison to the PCI SSC Scoping Guidance
    • 2.5.9 Comparison to the OPST
  • 2.6 Scope Reduction Methods
    • 2.6.1 Outsourcing to third-party service providers
    • 2.6.2 PAN Transformations
      • 2.6.2.1 Truncation (and Masking)
      • 2.6.2.2 Tokenization
    • 2.6.3 Segmentation (Network vs Non-Network)
    • 2.6.4 Encryption
      • 2.6.4.1 The PCI DSS FAQ on Encryption
      • 2.6.4.2 Use of P2PE solutions
    • 2.6.5 Refactoring
  • 2.7 Advanced Scoping
    • 2.7.1 eCommerce and Mobile
      • 2.7.1.1 eCommerce Scoping - URL Redirects
      • 2.7.1.2 eCommerce Scoping - iFrame
      • 2.7.1.3 eCommerce Scoping - Direct Post Method (DPM)
      • 2.7.1.4 eCommerce Scoping - JavaScript Form
      • 2.7.1.5 eCommerce Scoping - Application Programming Interface (API)
      • 2.7.1.6 Mobile payment devices as terminal
    • 2.7.2 Virtualization and Cloud
      • 2.7.2.1 Virtualization Concepts
      • 2.7.2.2 Hardware (native) vs Software (hosted) virtualization
      • 2.7.2.3 Operating-system-level (Container) virtualization
      • 2.7.2.4 Security considerations in the 2018 Cloud Computing information supplement
      • 2.7.2.5 Cloud Computing.
      • 2.7.2.6 Serverless computing (or Function as a Service, FaaS)
    • 2.7.3 Complex Virtualization Cases .. 144 2.7.3.1 Converged Infrastructure
      • 2.7.3.2 Software-Defined Networking (SDN) and virtualized networks
      • 2.7.3.3 Micro-segmentation
    • 2.7.4 Scope of Remote desktop solutions?
    • 2.7.5 Scope of Emails and Instant Messaging Solutions
    • 2.7.6 Non-covered technologies
  • End Notes - Volume 2