What does “In-Scope” and “Out-Of-Scope” for PCI-DSS mean relative to processing Credit and Debit Cards?

Nowhere in the Payment Card Industry (PCI) Data Security Standard (Version 3.2 April 2016), nor in any other PCI DSS document, can we find the terms “In-Scope” or “Out-Of-Scope” defined. However, from the way the PCI DSS document uses these terms, we believe that “In-Scope” means that an “In Scope” entity is subject to all the requirements defined by the PCI DSS document. An entity that is “Out-of-Scope” is not subject to the requirements of PCI DSS. Even though many of these requirements make good sense.

Page 7 of the PCI DSS document contains the following:

PCI DSS Applicability Information

PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Cardholder data and sensitive authentication data are defined as follows:

Account Data
Cardholder Data includes: Sensitive Authentication Data includes:
  • Primary Account Number (PAN)
  • Full track data (magnetic-stripe data or equivalent on a chip)
  • Cardholder Name
  • CAV2/CVC2/CVV2/CID
  • Expiration Date
  • PINs/PIN blocks
  • Service Code
  • PINs/PIN blocks
  • The primary account number is the defining factor for cardholder data. If the cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.

    Comment: There is no mention in the PCI DSS document, or any document we have seen published by PCI-DSS, that states that software that does not store, process, or transmit cardholder data and/or sensitive authentication data is or is not subject to PCI-DSS/PA-DSS regulation.

    Therefore, CFXWorks believes that an entity, for example a payment application, that does not capture, store, process, or transmit the PAN; and has a NO visibility to the PAN, is “Out-of-Scope” for PCI DSS.

    CFXWorks of course agrees that an entity, for example a payment application, that captures, stores, processes, or transmits the PAN; and/or has any visibility to the PAN, is “In-Scope” for PCI DSS.