ASSESSMENT/SCOPING QUESTIONNAIRE

Company: Click here to enter text.

Date:
Contact Information:
Full name: Click here to enter text.
Position: Click here to enter text.
Telephone: Click here to enter text.
Extension: Click here to enter text.
Email: Click here to enter text.

Section A

Please answer each question providing proper information in the green sections.
The data fields extend as further information is typed in.

What type of sale channels does your operation support? Check all that apply (x)

☐ In-•‐store payment (Card- present)

☐ Mail order
☐ Telephone order
☐ e-•‐Commerce

How do you process payment (directly, indirectly, etc.)? Please describe as detailed as possible.

Click here to enter text.

Page 1 of 5
 How many authorization transactions do you process per year?

Click here to enter text.

Is there any payment brand requiring you to validate PCI compliance?

☐ Yes ☐ No

If yes, which payment brand?

☐ ☐ ☐ ☐ ☐

Do you have a target date or deadline to validate compliance?

☐ No ☐ Yes (Please indicate)

How many locations in your organization have a cardholder data environment (C.H.D.E.)?
Main datacenters Click here to enter text.

Secondary datacenters (Alternate and backup centers) Click here to enter text.

Point of sale locations – branches, stores, franchise Merchant, etc.-‐ Click here to enter text.
0
TOTAL

Staff strength of company Click here to enter text.

Number of depts. under scope Click here to enter text.
Staff strength of units/depts. under scope Click here to enter text.
No of Cards transactions Click here to enter text.
 Section B
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the
corporate network is not a PCIDSS requirement. However, it is recommended as a method that may reduce:
▪ The scope of the PCIDSS assessment
▪ The cost of the PCIDSS assessment
▪ The cost and difficulty of implementing and maintaining PCIDSS controls

Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or
other technology that restricts access to a particular segment of a network.

Without adequate network segmentation (sometimes called a "flat network") the entire network Is in scope of The
PCIDSS assessment.

Based on the information above, please indicate the number of components that are in the scope of this PCI
Assessment:
Cloud Server

For the “Main datacenters” mentioned previously, how many of the following components are present in the
cardholder data environment (in the scope of PCI)?
Please indicate a number for each type of component that applies

Network Components Servers

Firewall Choose an item.Web server Choose an item. Purchased internal Choose an item.
Switch Choose an item.Application server Choose an item. Purchased external (Internet) Choose an item.
Router Choose an item.Database server Choose an item. Custom internal Choose an item.

Wireless access point Choose an item.

Authentication server Choose an item.
Custom external (Internet) Choose an item.
Network appliance Mail server
Choose an item. Choose an item.Domain controller Choose an item.
Security appliance Proxy
Choose an item. server Choose an item.
Other Network
Choose an item. time protocol server Choose an item.
Domain name server (DNS) Choose an item.
Other Choose an item.

For the “Secondary Data Centers” mentioned previously, how many components are present in the CHDE?
Please check the appropriate box

Less than 10 ☐
10 – 20 ☐
21 – 50 ☐
 For the “Point of sale locations” mentioned previously, how many components are present in the CHDE?
Please mark with an “X”
Up to 10 ☐
More than 10 ☐

The standardization of processes and infrastructure for CHD environments within your organization is a critical
element in defining the scope and effort of a PCI assessment.

Which of the following sentences do apply to your organization (Mark all that apply)?

1. We have a central CHD environment in the organization. ☐

2. We have centralized standards for CHD environments that all entities in the organization ☐
must follow (POS, branches, etc.)
3. We have decentralized standards for different locations ☐
4. Each location has its own standards for CHD environments ☐

Do you use wireless technology to store, process, or transmit cardholder data (for example, point-•‐of-•‐sale
transactions, etc.)?

☐ Yes ☐ No

Is a wireless local area network (LAN) connected to or part of the cardholder data environment (for example, Not
clearly separated by a firewall)?

☐ Yes ☐ No

Do you use a third-•‐party provider to store, process, or transmit cardholder data on your behalf, or to manage
components such as routers, firewalls, databases, physical security, and/or servers?

☐ Yes ☐ No
If yes, please list them.
Seq. Type of service provided Seq. Type of service provided
1 Click here to enter text. 6 Click here to enter text.
2 Click here to enter text. 7 Click here to enter text.
3 Click here to enter text. 8 Click here to enter text.
4 Click here to enter text. 9 Click here to enter text.
5 Click here to enter text. 10 Click here to enter text.
Is your organization a service provider offering services to more than one merchant and/or other service
providers?
Services might range from simple to complex; from shared space on a server to a whole range of “shopping cart”
options; from payment applications to connections to payment gateway and processors; etc.

☐ Yes ☐ No

The PCI DSS requires several documentation elements and procedures to be developed and implemented. Please
indicate which of the following documents are currently available in your organization (this is not an exhaustive list).

Available?
Seq. Documentation
Yes No
1 Information security policy ☐ ☐
2 Incident response plan ☐ ☐
3 Background checks procedures (human resources) ☐ ☐
4 Security awareness program ☐ ☐
5 Firewall and router configuration standards ☐ ☐
6 System configuration standards ☐ ☐
7 Data control policy ☐ ☐
8 Data retention and disposal policy ☐ ☐
9 Perform Vulnerability Assessment and Penetration Test (Internal & External) ☐ ☐