PCI Resources
A structured approach to the PCI standards
logo-v1a.jpg

PCI DSS Book Volume 2 - PCI DSS Scoping

Table of Contents

Book Series

    Book Series Introduction
    Book Series Acknowledgments

Volume 2 - PCI DSS Scoping

    2.1 Volume Introduction
    2.2 Scoping
    2.3 It all starts with data
    2.4 PCI DSS Scoping explained
    2.5 Scoping categories
        2.5.1 First Category: CDE systems
            2.5.1.1 CDE/CHD
            2.5.1.2 CDE/Contaminated
            2.5.1.3 CDE/Segmenting
            2.5.1.4 CDE system analogies
        2.5.2 Second category: Connected systems
            2.5.2.1 Connected/Security
            2.5.2.2 Connected Systems
            2.5.2.3 Indirectly Connected
        2.5.3 Third category: Out-of-scope systems
        2.5.4 Categories Summary
        2.5.5 Scope Identification approach and Scope Documentation
    2.6 Scope Reduction Methods
        2.6.1 Outsourcing to third-party service providers
        2.6.2 Network Segmentation
        2.6.3 PAN Transformations
            2.6.3.1 Truncation (and Masking)
            2.6.3.2 Tokenization
        2.6.4 Encryption
            2.6.4.1 The PCI DSS FAQ on Encryption
            2.6.4.2 Use of P2PE solutions
        2.6.5 Remote Desktop solutions - One or two steps removed?
    2.7 Advanced Scoping
        2.7.1 Virtualization
            2.7.1.1 Virtualization Concepts
            2.7.1.2 Hardware vs. Software virtualization
            2.7.1.3 Operating-system-level (Container) virtualization
            2.7.1.4 Security considerations in the Cloud Computing information supplement
        2.7.2 Cloud Computing
        2.7.3 Non-covered technologies
    2.8 Networking Primer
        2.8.1 The Open Standards Interconnect (OSI) network model
        2.8.2 TCP/IP
        2.8.3 IPv4 Networks
        2.8.4 TCP/IP Protocol Examples
            2.8.4.1 Ping and traceroute
            2.8.4.2 Hypertext Transfer Protocol (HTTP)
            2.8.4.3 File Transfer Protocol (FTP)
        2.8.5 Network Segmentation Requirements for PCI DSS

Figures List

    Figure 1 - Rendering of Credit Card (Front)
    Figure 2 - Rendering of Credit Card (Back)
    Figure 3 - Sample business process diagram
    Figure 4 - Sample cardholder dataflow diagram
    Figure 5 - Sample high-level network diagram (store chain)
    Figure 6 - Sample detailed network diagram (individual store)
    Figure 7 - Image of firewall and 3 network zones (including the CDE)
    Figure 8 - Physical scope reduction example
    Figure 9 - PCI Scope type diagram
    Figure 10 - PCI Scoping Type Decision tree
    Figure 11 - Native vs hosted virtualization
    Figure 12 - Virtual Machine re-entry
    Figure 13 - Virtualization simplest configuration example
    Figure 14 - Operating System level virtualization
    Figure 15 - PCI DSS Cloud Computing Guidelines - Appendix C
    Figure 16 - Cloud Level of control/responsibility for client and CSP across different service models
    Figure 17 - UDP packet reordering
    Figure 18 - HTTP communications through network layers
    Figure 19 - FTP protocol

Tables List

    Table 1 - PCI DSS data
    Table 2 - Classification Categories Summary
    Table 3 - RoC reporting template sections for scope documentation
    Table 4 - TCP/IP Model and OSI Layers
    Table 5 - Bank Card Numbers
    Table 6 - Example of how control may be assigned between CSP and clients across different service models
    Table 7 - The 7 OSI layers
    Table 8 - The TCP/IP vs OSI layers
    Table 9 - IPv4 Network Classes
    Table 10 - TCP/IP Model Summary

PCI DSS Glossary

    PCI DSS Glossary