Skill Being Reviewed
Skill name: pci-dss-review
Skill path: skills/compliance/pci-dss-review/
False Positive Analysis
Benign-looking PCI scope process that can be over-credited:
pci_scope:
annual_review: complete
cde_diagram: current_as_of_q1
change_management:
significant_change: "handled by normal CAB"
cloud:
new_payment_lambda: deployed
Why this is a false positive:
The organization performs annual scope confirmation, but a significant change can introduce new payment data flows, connected-to systems, security-impacting services, segmentation paths, or TPSP responsibilities between annual reviews. A review can credit Req 12.5.2 while missing Req 12.5.3 evidence that the specific change triggered a documented scope impact analysis.
Coverage Gaps
Missed variant 1: cloud/serverless payment flow added after annual scope review
A new function, queue, API gateway, or storage bucket touches payment flow but is not mapped into CDE scope documentation.
Missed variant 2: segmentation change not revalidated
A firewall, route table, security group, Kubernetes network policy, or VPN change affects CDE connectivity but no segmentation validation or penetration-test update is linked.
Missed variant 3: TPSP responsibility changes without scope refresh
A processor, fraud service, analytics vendor, or payment page script provider changes responsibilities, but the TPSP inventory and responsibility matrix are not updated.
Edge Cases
- A change can reduce scope, but that still needs evidence and updated diagrams.
- Emergency changes need retrospective scope impact analysis with owner, date, and compensating monitoring.
- SaaS and cloud-provider inherited controls still require shared-responsibility evidence.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| CMDB/change management |
Partial |
Records changes but may not classify PCI scope impact. |
| Network diagrams |
Partial |
Show current state but may not prove change-triggered scope review. |
| PCI annual scope review |
No |
Annual review can miss mid-cycle significant changes. |
Overall Assessment
Strengths: Strong PCI v4.0 scope, scope reduction, requirement-by-requirement, compensating control, customized approach, and targeted risk analysis coverage.
Needs improvement: Add concrete evidence gates for Req 12.5.3 so reviewers can verify significant changes refresh PCI scope, not only annual documentation.
Priority recommendations:
- Add a significant-change scope impact checklist under Step 1.4.
- Require evidence for affected CHD/SAD flows, CDE/connected-to/security-impacting systems, segmentation validation, TPSP changes, and updated diagrams.
- Add output fields for change ID, trigger, affected scope, evidence refreshed, owner, and residual assessor risk.
Sources Checked
Bounty Info
Skill Being Reviewed
Skill name:
pci-dss-reviewSkill path:
skills/compliance/pci-dss-review/False Positive Analysis
Benign-looking PCI scope process that can be over-credited:
Why this is a false positive:
The organization performs annual scope confirmation, but a significant change can introduce new payment data flows, connected-to systems, security-impacting services, segmentation paths, or TPSP responsibilities between annual reviews. A review can credit Req 12.5.2 while missing Req 12.5.3 evidence that the specific change triggered a documented scope impact analysis.
Coverage Gaps
Missed variant 1: cloud/serverless payment flow added after annual scope review
A new function, queue, API gateway, or storage bucket touches payment flow but is not mapped into CDE scope documentation.
Missed variant 2: segmentation change not revalidated
A firewall, route table, security group, Kubernetes network policy, or VPN change affects CDE connectivity but no segmentation validation or penetration-test update is linked.
Missed variant 3: TPSP responsibility changes without scope refresh
A processor, fraud service, analytics vendor, or payment page script provider changes responsibilities, but the TPSP inventory and responsibility matrix are not updated.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths: Strong PCI v4.0 scope, scope reduction, requirement-by-requirement, compensating control, customized approach, and targeted risk analysis coverage.
Needs improvement: Add concrete evidence gates for Req 12.5.3 so reviewers can verify significant changes refresh PCI scope, not only annual documentation.
Priority recommendations:
Sources Checked
Bounty Info