💼 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.

Description

At a minimum, the scoping validation includes:

Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce).
Updating all data-flow diagrams per Requirement 1.2.4.
Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups.
Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope.
Identifying all connections from third-party entities with access to the CDE.
Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope.

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 PCI DSS v4.0.1 → 💼 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.	1				no data

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 PCI DSS v4.0.1 → 💼 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.	1				no data

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 12.5.2.1 PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment.					no data