Frequently Asked Question

Is it required that all of a company’s sites, even those located in other countries, must be included in the company’s PCI DSS review?

The PCI DSS is a global standard and is applicable to all entities that process, transmit or store cardholder data regardless of geographic location. Each payment brand manages their PCI DSS compliance and enforcement programs independently of the PCI Security Standards Council. With regard to levels, time lines, and other specific questions about compliance and enforcement, please contact each payment brand to understand programs in the regions in which the company operates. The sites in other countries can only be eliminated from the scope of the primary assessment if those sites are properly segmented from the primary assessed environment. If not, a hacker compromising the sites in other countries could gain access to the primary assessed environment. If it is desirable to only include certain sites/locations in a PCI DSS review, then that should be clearly noted in the report of compliance as well as noting that specific other sites/locations were excluded from the assessment. However, a separate PCI DSS review may be required if the other sites store, process or transmit cardholder data. Alternatively, one review can include all sites and system components for all international locations.
April 2012
Article Number: 1040