866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Scoping Validation Requirements in PCI DSS 4.0: What’s Changed? Blog Feature
Jon Anderson

By: Jon Anderson

Print/Save as PDF

Scoping Validation Requirements in PCI DSS 4.0: What’s Changed?

Payment Card Assessments

When the state lines of America were drawn, many different elements came into play.

Things like natural geographic boundaries—the Connecticut, Ohio, and Colorado Rivers, for example—and manmade ones, like railroad construction, played parts. Some states even drew their own borders—California and Texas—and Congress just accepted them.

The point is, every State is a different shape that was decided by different things unique to its landscape and circumstances. The same is true for your PCI DSS scope. And just like state lines are respected and recognized, your scope must be validated.

But those who solidified said state lines were mapping a country—you are trying to stay in compliance. The process of carving out your scope has always been involved enough, but now we have v4.0 of the PCI DSS standard, and it has brought with it changes in how your scope is validated.

Defining, documenting, and communicating the scope and applicability of PCI DSS requirements continues to be a critical component of a successful assessment. What would help is understanding how you must now change your approach.

As a PCI Qualified Security Assessor, Schellman has performed over 150 DSS assessments in the last 12 months under version 3.2.1. More recently, we’ve dissected the new 4.0 version to understand the differences. Now, we want to pass on what we’ve learned to you.

In this article, we’ll redefine what is considered in scope under PCI DSS v4.0 and the changes to validation from the previous version, including new requirements for such. When you “map” your scoping exercise for your next DSS assessment, you’ll know exactly what the scoping requirements are, paving for a smoother way forward.

 

Changes to Scope Validation Under PCI DSS v4.0

Under PCI DSS 3.2.1, it’s recommended that you confirm your scope at least annually and before the start of the annual assessment. To this point, it’s only been a recommendation that you complete this scoping exercise, and validation of the scope you define has been solely your assessor’s responsibility.

Until now.

There have been two big changes to scoping validation in PCI DSS v4.0:

  • In PCI DSS 4.0, both the entity and the assessor now share the burden of validating scope.
  • New Requirement 12.5 has formalized scoping reviews as part of your annual assessment. 

What is Considered In-Scope Under PCI DSS?

This is a big shift. And now that you will share a required responsibility to validate your scope, you should understand what it means under PCI DSS. We’ll address that first.

The cardholder data environment (CDE) is the primary focus of PCI DSS scope, and is defined as:

  • System components; as well as
  • People or processes that process, store, or transmit any element of cardholder data (CHD) and/or sensitive authentication data (SAD)—these two are collectively known as account data. 

So then, what is cardholder data? Reviewing the existing definitions, its elements include:

  • Cardholder Name
  • Expiration Date
  • Primary Account Number (PAN): A unique identifier that identifies the issuer and the account of the cardholder. (Often also referred to as the account number.)
  • Service Code: A three or four-digit value contained within the card’s magnetic stripe following the expiration date of the card on the track data. That has multiple uses including defining usage restrictions and service attributes. 

Then, sensitive authentication data elements include:

  • Full track data (magnetic-stripe data or chip equivalent)
  • Card verification code: A data element that may refer to either the magnetic stripe data or the printed security features on the card. Each payment card brand has its nomenclature and format for this value.
  • PINs and/or PIN blocks: Associated with the cardholder’s personal identification number, which is used for authentication purposes at ATM or in conjunction with EMV chips to replace signatures. 

It’s a common misconception that the CDE represents the boundary of scope and that any people, processes, or systems not directly involved in the transmission, processing, or storage are excluded from PCI DSS requirements.

But an accurate scoping of your organization must extend to people, processes, and systems that could impact the security of the CDE (or that connect directly or indirectly to the CDE). This nuance in scoping must be a critical consideration for your successful PCI DSS assessment—one that persists in both version 3.2.1 and version 4.0.

Scoping Validation Requirements in PCI DSS v4.0

Nuanced scoping regarding accuracy may have carried over from the previous standard, but there is a change to how you document it under v4.0.

As we mentioned before, the new requirement 12.5. mandates the previously only recommended scope validation. You must confirm your scope annually and after any significant changes, and whether you do is subject to review as part of your assessment.

Your assessors will review your supplied documentation to verify you’ve done so, and the expectations for acceptable supporting documentation may include (but are not limited to):

  • An accurate inventory of system components in scope for PCI DSS, including their function/use
  • Identification of all data flows and updated data flow diagrams
  • An inventory of all locations where account data is stored, processed, and transmitted to/from, including:
    • Locations outside the CDE
    • Applications involved in storage, processing, or transmission
    • All transmission channels between networks and systems
    • All file backups
  • Identification of all segmentation controls
  • Inventory of all third party connections which facilitate access to the CDE 

Your scoping validation exercise must also confirm that all data flows, account data, system components, segmentation controls, and connections from third parties with CDE access are included in scope.

If this seems extensive, it is. Therefore, if you’re already under assessment or considering compliance with PCI DSS 4.0, you should begin planning now for your annual scope validation exercise. Do two things:

  • Determine which personnel should be involved and what actions will need to be taken to ensure your scope is accurate.
  • Produce adequate evidence of the occurrence of these reviews to satisfy these updated requirements.

Scoping Validation for Service Providers Under PCI DSS v4.0

But PCI DSS can be particular for service providers, no matter the version, and the same is true regarding these new scoping validation requirements in v4.0. For those of you that fall into this category, you have additional obligations:

  • Starting now, service providers are strongly recommended to conduct the scoping validation exercise every six months as a best practice.
    • After March 31, 2025, this recommendation becomes a requirement.
  • Additionally, service providers who undergo any significant changes to the organizational structure are required to conduct a documented internal review of how those changes will impact your scope and controls applicability.
    • Examples of these types of structural changes cited in requirement 12.5.3 include mergers, acquisitions, or any major changes or reassignments of personnel with security control responsibilities.
    • The results of this review must be communicated to executive management.
    • Again, this will remain a recommended best practice until March 31, 2025, after which it will become a requirement. 

Additional Considerations with PCI DSS v4.0

Regardless of whether you’re a service provider or not, it will be critical to consider these new and changed requirements and the timelines for implementation as your organization begins planning the transition to PCI DSS v4.0.

America may have been mapped over decades, but you don’t have that much time to draw your scoping boundaries before these recommended practices become required.

So to ensure that you plot your course as accurately and easily as possible, read our other breakdowns on various aspects of the new PCI DSS v4.0:

Of course, Schellman can assist with your compliance burdens if you’d rather speak more specifically on de-mystifying the timelines and expectations for your organization regarding the new standard. If that’s your preference, please reach out to us. We’re happy to set up a conversation so that we can answer any pressing questions you may have.

About Jon Anderson

Jon Anderson is a Senior Associate with Schellman. Prior to joining Schellman, Jon spent 12 years as a systems administrator, and has held roles in cybersecurity risk management with regional banking entities and insurance firms, conducting both third party and application assessments as a component of enterprise risk management. Jon holds multiple industry certifications including Certified Information Systems Security Professional, ISO 27001 Lead Auditor, Payment Card Industry Professional, Payment Card Industry Qualified Security Assessor, and Payment Application Qualified Security Assessor. Jon’s primary focus areas are cybersecurity assessments and PCI DSS compliance for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.