The PCI Compliance Process
Scoping – Where is the cardholder data located?
PCI Compliance is for the Cardholder Data Environment
The next step in the process of validating compliance with the Payment Card Industry Data Security Standard (PCI DSS)
requirements is to properly identify and define what systems, processes, and people are involved in the transmission,
processing, or storage of cardholder data –and- any systems, processes, and people that may impact the security of your
cardholder data. The PCI Glossary provides the following definition:
Cardholder Data Environment (CDE): The people, processes and technology that store, process or transmit cardholder
data or sensitive authentication data, including any connected system components.
The CDE is generally comprised of systems involved in the direct credit card transaction processing that originates from
retail locations, kiosks, e-Commerce sites, and more frequently today – from mobile devices. Beginning with a credit card
‘swipe’ or entry of the credit card data into a payment application, all systems involved in the transmission of this credit
card transaction traffic are in scope for PCI compliance. From the moment the credit card data is presented through all
intermediate systems, to the point where the transaction data is sent to an outside entity such as a payment gateway,
processor, or bank for credit authorization – and back – all the technology, people, and processes are all part of the CDE.
The credit card transaction process being in scope is generally well understood. What is also in scope are any processes
that occur after the initial transaction and/or support the transaction – such as refunds, chargebacks, dispute resolution,
collections, fraud detection/prevention, loss prevention, customer support, help desk, and so forth.
People and processes that support the payment processes – such as network and
system administrators, DBAs, developers, customer care agents, security administrators,
store managers, finance and accounting personnel – are all likely elements of the CDE
and subject to PCI compliance.
Limiting Scope
If this sounds like a complex problem, or if your head is starting to hurt, you can
understand why there is so much emphasis on limiting the scope for PCI compliance.
Scoping your PCI environment, or CDE, is often a major undertaking and requires deep
knowledge of all business and IT processes and data flows. The PCI DSS actually
requires companies to have a documented process for determining what is and what is
not part of the CDE (or simply “in scope”) and must also be able to present evidence and
results of the methodology used to determine the scope of PCI in their enterprise.
Data Discovery
There has never been more emphasis placed on discovering and identifying all “people, processes, and technology” that
are involved with cardholder data in a company’s enterprise than today. There is no single prescribed method for
conducting this exercise within your company, and the PCI DSS does not provide specific guidance about how discovery
exercises must be performed in any particular fashion.
Qualified Security Assessor (QSA) companies, professional services companies, and solutions providers often advise
their clients on how to conduct these discovery exercises, and sometimes even conduct the discovery exercises on behalf
of their clients and/or provide tools and technology to perform “data discovery” exercises.
Whatever the method for identifying your CDE, it is important to remember a couple of key points:
1. You must demonstrate where cardholder data IS present AND where it is NOT present;
2. Your methodology must be documented, and you must show evidence of the methodology being executed.
Tenable for PCI Compliance
Tenable offers a range of solutions for help you determine and validate PCI compliance and remain compliant between
audits as your network changes.
Internal Vulnerability Scanning with Nessus Vulnerability Scanner
The Nessus vulnerability scanner may be used by organizations to satisfy quarterly internal vulnerability scanning
requirements. When used on a continuous basis, Nessus enables companies to identify and correct issues well before the
official compliance validation occurs. This also helps reduce the cost of the official validation assessment by reducing the
time it takes to get the QSAs the information they need.
Nessus can also identify sensitive data that is subject to PCI compliance requirements such as credit card numbers.
Nessus can perform these searches without an agent and only requires valid credentials to scan a remote computer.
PCI ASV Validation with Nessus Perimeter Service
Tenable Network Security is a PCI Approved Scanning Vendor (ASV) and is certified to validate quarterly external
vulnerability scans for companies to fulfill PCI DSS validation requirements. The ASV service allows companies to:



Use a single solution, Tenable PCI Scanning Service, to perform PCI scans and submit them for quarterly PCI
ASV validation.
Submit up to 2 PCI scans per calendar quarter for validation by Tenable’s PCI-certified professionals.
Easily generate executive, attestation, and detailed reports — offering proof of compliance needed for submission
to your acquiring bank.
Intelligent Continuous Monitoring with Tenable USM
Nessus is a component of Tenable's Unified Security Monitoring (USM) platform, which also includes Tenable
SecurityCenter, the Tenable Passive Vulnerability Scanner (PVS), and the Tenable Log Correlation Engine (LCE). The
Tenable USM platform offers enterprises continuous monitoring and centralized intelligence for PCI compliance. Features
include:





Continuously monitor and discover new devices on the network that may create PCI exposure.
Continuously detect the presence of malware that has infiltrated your network and is running malicious programs
in your environment.
Secure log aggregation / storage and log normalization / search for compliance monitoring and analysis.
Identify PCI-relevant assets and limit PCI scans to those assets, reducing time and resources required for regular
scans.
Create a single view of risk exposure that includes Internet-facing web application vulnerabilities.
About Tenable Network Security
Tenable Network Security is relied upon by more than 20,000 organizations,
including the entire U.S. Department of Defense and many of the world’s
largest companies and governments, to stay ahead of emerging vulnerabilities,
threats and compliance-related risks. Its Nessus and SecurityCenter solutions
continue to set the standard to identify vulnerabilities, prevent attacks and
comply with a multitude of regulatory requirements. For more information,
please visit www.tenable.com.
GLOBAL HEADQUARTERS
Tenable Network Security
7021 Columbia Gateway Drive
Suite 500
Columbia, MD 21046
410.872.0555
www.tenable.com
Copyright © 2013. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
2