PCI requirements apply to all systems that process, store or transmit payment card account data and any systems connected to or impacting the security of these systems.
System components within the scope of PCI are called “Cardholder Data Environment” or CDE. All PCI in-scope systems are subject to PCI DSS requirements to limit the possibility of sensitive payment card account data being compromised.
Attackers are constantly trying to compromise this data using malware, phishing, and social engineering attacks. The type and complexity of these attacks are continually changing, and PCI DSS requirements are intended to limit the success of these attacks.
Before we talk about how to minimize PCI scope, let’s define it. PCI DSS defines scope as all system components located in or connected to the cardholder data environment. PCI DSS security requirements apply to all PCI in-scope systems.
The cardholder data environment consists of people, processes, and technologies storing, processing, or transmitting cardholder data or sensitive authentication.
Here is a general list of system components that are likely to be PCI in-scope in your environment:
- Network devices
- IT devices
Consequently, a person, process, technology, or component is considered within the scope of PCI DSS if it stores or transmits cardholder data or is connected to systems that do or may affect cardholder data security.
Why You Should Reduce Your PCI Scope
If you can limit the amount of cardholder data you have, you’ll have fewer data to audit. The following are the implications and benefits of having more periodic data to audit under PCI:
- The cost of a PCI audit is lower.
- The amount of stress and time spent on the audit is kept to a minimum.
- Processes are less likely to be affected by regulatory changes.
- Breach of security is less likely.
- The risk of failure is decreased in part.
For example, if an organization can reduce PCI scope from SAQ D to SAQ C, audit costs can be reduced by 75%.
It would help if you considered reducing PCI compliance scope because it will help reduce your compliance costs, transaction costs, and risk of interacting with payment card data.
It is always worth focusing on reducing compliance due to PCI-related costs for small organizations, including all ancillary requirements such as penetration testing, application testing, and security product requirements.
Larger organizations with a substantial budget don’t care about the cost of PCI compliance or the ancillary control requirements. Still, they mostly care about the risk of handling the volume of sensitive data in their environment and the potential consequences of breaches.
How to Reduce PCI Scope?
The scope of the PCI DSS audit is the first step in any PCI DSS examination. Understanding your PCI scope allows you to focus on systems directly involved in providing security for your payment card account data.
Systems that do not rely on or affect stated data security are referred to as “out of scope” and are not reviewed for PCI compliance.
Almost all organizations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the Standard’s applicability. Even those experienced in PCI DSS compliance can struggle with scope drift over time as an organization’s networks evolve.
There are many ways to reduce PCI scope. So it should come as no surprise that one of the most compelling and practical ways to ensure that you continue to comply with PCI DSS is to narrow it down. This post will go through some of the most common scope reduction techniques today in the industry.
Do Not Store Primary Account Numbers (PAN)
Eliminating the storage of all cardholder data, including the Primary Account Number (PAN), is one of the most effective strategies to limit PCI scope. PCI DSS requirement 3.1, along with identification and secure deletion policies, guides validating organizations to keep data retention to a minimum by enforcing a robust policy limiting the storage and retention of such data.
Verification bodies that store cardholder data qualify for the most rigorous self-assessment questionnaire (SAQ D). The SAQ D questionnaire is lengthy and requires the vendor to verify against all PCI DSS requirements.
Eliminating cardholder data storage allows a merchant to become eligible for other reduced SAQ levels that directly address a smaller number of requirements. The complexity of an SAQ D verification is much greater than some reduced SAQs such as SAQ C or SAQ P2PE.
Although it may seem self-evident, removing stored cardholder data from your PCI environment will limit your PCI DSS scope. But many organizations overlook this potential solution. The PCI SSC’s advice is clear; Do not store card data if you do not need it.
The hard part of removing cardholder data is getting you to find them all! Cardholder data can be in all sorts of unexpected places, such as text files, log files, memory dumps, application logs, old databases, and backups.
Limit who can see credit card data
Some companies allow marketing, customer service, or other departments to process or see credit card data even if they don’t need it. As a result, you must first determine how much card information is exchanged with which units inside your company.
At a fundamental level, the more people who can potentially see personal customer information, the more comprehensive your PCI scope will be.
The general advice is to reduce the cardholder data environment as much as possible permanently. If a department doesn’t need data, don’t let them have card data. This approach reduces the scope of PCI compliance and dramatically reduces the chance of card information going wrong.
Ensure data is shared across protected networks and is always encrypted to prevent unnecessary departments from seeing the protected card information.
Limit the Type of Data Departments Can See
There may be some people or departments in your organization that need to see customer information. For example, marketing departments will be in a difficult position if they cannot analyze customer databases and see how certain groups are behaving.
Similarly, technical support teams may need some payment information to authenticate customers.
However, this information does not have to consist of the credit card information. Marketing departments and customer service advisors should only access cutout or disguised card information to decrease PCI scope.
The truncated or masked display of card information allows third parties to do their business without disclosing information that interests them.
Apply Network Segmentation
Network segmentation is a powerful tool for limiting the scope of a PCI DSS audit. Storage and transmission of payment card data can occur only in a small number of systems within the internal network environment of a verification body.
If this environment is a flat network, i.e., no segmentation, all systems will be covered as they can communicate and affect account data security. If you can segment the network sufficiently, you can reduce the scope of PCI assessment only to systems directly involved in the account data processing.
The key to network segmentation is to have separate physical networks to avoid the possibility of segmented systems coming into range or to use logical segmentation such as VLANs to provide a correct configuration that prevents out-of-scope systems from connecting to PCI scope.
Limit Card Information with P2PE in Physical Stores
PCI compliance can be problematic in physical stores and retail outlets where customers freely hand over payment information. However, if your organization has a method for encrypting card details at the point of purchase, your physical PCI scope is kept to a minimum.
By adding a system that eliminates credit card information from the purchasing process, you effectively protect your organization from four of the twelve PCI requirements.
PCI SSC lists and validates payment solutions approved as Point-to-Point Encryption (P2PE) solutions. These solutions leverage a secure Point of Interaction (POI) device to encrypt cardholder data.
The solution provider can only decrypt data, and never does the merchant or payment solution has access to unencrypted account data in transit or at rest.
Verifying entities must not have access to unencrypted account data or encryption keys to take advantage of the provided PCI scope reduction. These organizations are eligible to complete a P2PE SAQ that provides the maximum scope reduction available.
PCI SSC guides usage and scope mitigation provided by unlisted encrypted solutions. Vendors using encrypted solutions that are not listed as P2PE solutions should work directly with the purchasing bank to determine the scope reduction provided by these solutions.
Tokenization, a process that exchanges payment information for a proxy ‘token’ to replace card data, ensures that sensitive data is kept securely in one place. By significantly reducing the number of locations where cardholder information is located, the scope of an organization’s PCI audit is decreased considerably.
Tokenization is the process of replacing Primary Account Data (PAN) with non-sensitive data that has no value to an attacker if it is stolen. This allows the verification body to store the token for later use on the card on file or in recurring billing solutions.
Regarding the generation of tokenized data and the storage of PAN data, tokenization service providers must adhere to all applicable PCI DSS requirements. The conversion of specified data to PAN data can only occur on the service provider’s secure PCI validated systems.
Validation entities that use tokenization to reduce scope must ensure that tokenization is implemented correctly. They must no longer continue collecting or storing PANs, comply with the PAN’s quarterly data discovery requirements, and replace any discovered PAN with specified data.
Outsource Systems or Processes
Many organizations choose to work with third parties that use their systems to process payment information. Outsourcing leverages the service provider’s expertise to keep data safe. It can be transferred to a PCI DSS specialist who knows how to store and transmit sensitive payment data for a fee.
Outsourcing is also a widespread technique, especially in e-commerce platforms. This can be termed physical segmentation because you’re outsourcing some or all of your payment routes to a third party.
The most important thing to remember about outsourcing is that you cannot outsource responsibility for compliance. As a merchant, you are ultimately responsible for protecting cardholder data and must ensure that all relevant third parties fully comply with applicable requirements.
The scope and total PCI burden can be reduced by outsourcing specific portions of your CDE or cardholder data flow. Managed Firewall Services, Log Monitoring and Management, Server Hosting Facilities, and Payment Solutions as Software as a Service are all common examples (SaaS).
It’s worth noting that PCI DSS compliance of third-party service providers must be verified, and you must do due diligence as required by PCI DSS requirement 12.8.
Get Qualified Support
There are several more subtle techniques for reducing your PCI scope, but most of them will vary based on your particular payment channel and network infrastructure. For example, solutions can be implemented in your environment, such as whether network jumpers control access or if payment channels are combined into a single platform.
The trick is to determine if different techniques can significantly reduce scope. This is where consultants and PCI QSAs can add value by analyzing your specific situation, such as infrastructure and business objectives, and identifying the most appropriate techniques to narrow your scope and maintain compliance.
You can refer to the “PCI DSS Scoping and Segmentation” guidance published by PCI SSC for detailed information.