PCI Scoping Guide Landing page.png

A technical guide to PCI DSS Scoping

Trends, Misconceptions, and a look to the future of PCI DSS scoping

Determining the scope of your annual PCI assessment can be an overwhelming task. Guidance from the PCI SSC states that "the best practice approach is to start with the assumption that everything is in scope until verified otherwise." 

While the PCI SSC has issued dozens of guidance documents, FAQs, and SAQs to aid companies in scoping for PCI DSS, many companies have struggled to keep it all straight or have decided to simply stick with what they've been doing. To help you make sense of it all, our team of PCI QSAs put together a guide that breaks down the ways to reduce your PCI DSS scope, common misconceptions, and future changes on the horizon. 

Within this guide, we shed light on: 

  • Scope responsibility - both yours and your QSA's
  • Network segmentation and the role it plays in scope reduction
  • Common misconceptions around SAQs, encryption, iFrames, telephone-based payments, and more
  • Ways to minimize PCI scope
  • The pending MFA deadline of January 2018

Complete the short form to the right, and your download will begin immediately. 

Your privacy is important to us. We never share your personal information with third parties.

About the Authors

Jim Flannery, CISSP, CISA, PCI QSA

Jim is our lead PCI SME at Focal Point and a Director in our national Cyber Security Practice. He has extensive experience with PCI, SOX, and privacy compliance management as well as application and general IT controls testing, project management, IT security assessments, and technical writing. He regularly demonstrates a very detailed knowledge of network and system security principles and how they can be applied in the real world at our clients. 

Chris Thompson, CISSP, CCNA-S, PCI QSA & ASV

Chris is a Manager in our national Cyber Security practice and is the lead technical assessor for the team. He focuses on providing our clients with Payment Card Industry Data Security Standard (PCI DSS) assessments, firewall and router rule set reviews, network security architecture reviews, vulnerability assessments, and IT risk assessments. He’s our go-to resource for mapping vulnerabilities or technical deficiencies to business risk and impact statements.