Hmatix PCI Endpoint Compliance Assessment

PCI Compliance should not be one-time goal, but involves continuous, iterative process involving assessment, remediation /refinement and on-going reporting.

One of the primary recommendations PCI experts make for organization to have better control on the infrastructure is to limit the scope of the cardholder data environment (CDE). This continuous activity involves the following steps:

  • Documenting accurately the current scope of the CDE in terms of known services, application, user access and source/destination end points. This is called a baseline.  Note that baseline work is critical as it is used to discover perimeter of influence, which involves all locations and endpoints such as servers, Point of Sale terminals, phones and contact center (CC) application, processes, people that are responsible for origination, flow and termination of cardholder data.
  • Having a baseline cardholder environment, it is important to do a real time assessment of the CDE infrastructure to determine if the current CDE scope is appropriate. This involves comprehensive auditing of the services running, ports used, IP addresses accessed by individual end points. Any deviation observed from the baseline needs to be corrected and the assessment is re-run till CDE scope is modeled, both for the scope and behavioral appropriateness.
  • Next step is to continuously monitor CDE infrastructure for changes to its scope or behaviors from the defined baseline, looking for intrusion, performing anomaly detection and identifying behavioral outliers that inadvertently or intentionally modifies the CDE scope.

 Inadvertent CDE change of scope occurs under the following conditions (not an exhaustive list):

  • Newer endpoints are added to the CDE infrastructure
  • Newer feature set or services are introduced as part of endpoint application upgrades
  • Endpoints are physically re-located resulting in the new address assignment
  • Network misconfiguration

Intentional modification of CDE scope occurs under the following conditions (not an exhaustive list):

  • Unauthorized access by an employee
  • Unauthorized access by an external entity
  • Installation of malware that changes the behavior of the endpoint

In the event of compromise of any endpoint, remediation should involve immediate quarantine(isolation) of the impacted device. The operation can be either triggered automatically as part of a chain of mitigation workflow or manually by the administrator.

Last but not the least, regular reporting on the current baseline, observed deviations if any such as CDE scope changes, indicators of compromise at resource levels (port, IP, service level) vulnerabilities helps organization determine the existing scope and then continue to manage it.

The figure below shows one subset of endpoints that can be monitored by Hmatix solution for behavioral changes.


Hmatix provides a comprehensive end to end solution for an organization trying to manage their critical PCI end-points as part of maintaining, protecting their cardholder data environment (CDE)scope.  

With Hmatix 100% automated, plug-and-play, self-learning cybersecurity solution, organizations can easily audit their CDE scope and obtain an instant compliance assessment report as part of their overall PCI-DSS compliance goal.


Learn more about the Hmatix cybersecurity audit