Regulatory Compliance, Governance and Security

Jan 30 2009   9:33PM GMT

PCI DSS Compliance | What is the “Cardholder Environment”?



Regarding PCI DSS compliance, i’m often asked as a PCI QSA what is the cardholder environment? In essence, people are wanting to know what is in scope and how do you determine scope. To be honest, it is not at all a clear black and white answer; so many variables come into play, the biggest being the growth of outsourced third party providers, such as managed service providers, data centers/co-location entities, among others.

As for the entities and organizations that are in scope, it is essentially any organization that is directly involved in the processing, storage, or transmission of transaction data or cardholder data.

Regarding the actual cardholder data itself, think of any systems that support the transaction or storage of carholder data. Any “system components” that cardholder data travels across or any “system component” where cardholder data resides is in scope.

One can quickly see how other third party providers can very easily be brought into the scope of the audit. Talk to your Qualified Security Assessor (QSA) as he or she should have the knowledge to know what is in scope regarding the organizations involved in the process and what the actual “system components” are for the cardholder environment.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: