With the release of PCI DSS 2.0 comes a new requirement – verifying that you’ve correctly identified the scope of your cardholder data environment. The PCI DSS compliance community believes, as a general principle, that you should limit the scope of your cardholder data environment to the greatest extent possible. This not only reduces the amount of work you will need to do to comply with the PCI DSS standard, but also reduces the overall risk to your organization by limiting complexity.
When a Qualified Security Assessor (QSA) prepares a Report on Compliance (RoC) for your company, they first must identify the scope of their assessment. They’re required to document that they’ve verified your approach in four ways. PCI DSS 2.0 states that they must verify: (continue reading…)