PCI Resources
A structured approach to the PCI standards
logo-v1a.jpg

Volume 2 - PCI DSS Scoping

  • Book Series
    • Book Series Introduction
    • Book Series Acknowledgments
  • Volume 2 - PCI DSS Scoping
    • 2.1 Volume Introduction
    • 2.2 Scoping
    • 2.3 It all starts with data
    • 2.4 PCI DSS Scoping explained
    • 2.5 Scoping categories
      • 2.5.1 First Category: CDE systems
        • 2.5.1.1 CDE/CHD
        • 2.5.1.2 CDE/Contaminated
        • 2.5.1.3 CDE/Segmenting
        • 2.5.1.4 CDE system analogies
      • 2.5.2 Second category: Connected systems
        • 2.5.2.1 Connected/Security
        • 2.5.2.2 Connected Systems
        • 2.5.2.3 Indirectly Connected
      • 2.5.3 Third category: Out-of-scope systems
      • 2.5.4 Categories Summary
      • 2.5.5 Scope Identification approach and Scope Documentation
    • 2.6 Scope Reduction Methods
      • 2.6.1 Outsourcing to third-party service providers
      • 2.6.2 Network Segmentation
      • 2.6.3 PAN Transformations
        • 2.6.3.1 Truncation (and Masking)
      • 2.6.3.2 Tokenization
      • 2.6.4 Encryption
        • 2.6.4.1 The PCI DSS FAQ on Encryption
      • 2.6.4.2 Use of P2PE solutions
      • 2.6.5 Remote Desktop solutions - One or two steps removed?
    • 2.7 Advanced Scoping
      • 2.7.1 Virtualization
        • 2.7.1.1 Virtualization Concepts
        • 2.7.1.2 Hardware vs. Software virtualization
        • 2.7.1.3 Operating-system-level (Container) virtualization
        • 2.7.1.4 Security considerations in the Cloud Computing information supplement
      • 2.7.2 Cloud Computing
      • 2.7.3 Non-covered technologies
    • 2.8 Networking Primer
      • 2.8.1 The Open Standards Interconnect (OSI) network model
      • 2.8.2 TCP/IP
      • 2.8.3 IPv4 Networks
      • 2.8.4 TCP/IP Protocol Examples
        • 2.8.4.1 Ping and traceroute
        • 2.8.4.2 Hypertext Transfer Protocol (HTTP)
        • 2.8.4.3 File Transfer Protocol (FTP)
      • 2.8.5 Network Segmentation Requirements for PCI DSS
  • Figures List
    • Figure 1 - Rendering of Credit Card (Front)
    • Figure 2 - Rendering of Credit Card (Back)
    • Figure 3 - Sample business process diagram
    • Figure 4 - Sample cardholder dataflow diagram
    • Figure 5 - Sample high-level network diagram (store chain)
    • Figure 6 - Sample detailed network diagram (individual store)
    • Figure 7 - Image of firewall and 3 network zones (including the CDE)
    • Figure 8 - Physical scope reduction example
    • Figure 9 - PCI Scope type diagram
    • Figure 10 - PCI Scoping Type Decision tree
    • Figure 11 - Native vs hosted virtualization
    • Figure 12 - Virtual Machine re-entry
    • Figure 13 - Virtualization simplest configuration example
    • Figure 14 - Operating System level virtualization
    • Figure 15 - PCI DSS Cloud Computing Guidelines - Appendix C
    • Figure 16 - Cloud Level of control/responsibility for client and CSP across different service models
    • Figure 17 - UDP packet reordering
    • Figure 18 - HTTP communications through network layers
    • Figure 19 - FTP protocol
  • Tables List
    • Table 1 - PCI DSS data
    • Table 2 - Classification Categories Summary
    • Table 3 - RoC reporting template sections for scope documentation
    • Table 4 - TCP/IP Model and OSI Layers
    • Table 5 - Bank Card Numbers
    • Table 6 - Example of how control may be assigned between CSP and clients across different service models
    • Table 7 - The 7 OSI layers
    • Table 8 - The TCP/IP vs OSI layers
    • Table 9 - IPv4 Network Classes
    • Table 10 - TCP/IP Model Summary
  • PCI DSS Glossary
    • PCI DSS Glossary