By Viviana Wesley – PCI QSA, ISO 27001 Auditor, CISM and Jason Maiden – CISSP, PCI-QSA, PMP, ISO Lead Auditor

We’ve talked about the importance of determining your organization’s PCI DSS scope. Equally important is reducing that scope. Reducing your PCI DSS scope means minimizing the number of systems, people, processes, and technologies that have exposure to your payment cardholder data environment (CDE) and cardholder data (CHD). Just as you strive to minimize your organization’s attack surface for greater security, you should aim to shrink the footprint of your CDE. Some of the reasons for PCI DSS scope reduction include:

  • Lower compliance costs: Fewer systems in scope means less time and money spent securing, documenting, and auditing those systems.
  • Reduced risk: Fewer systems exposed to cardholder data means a smaller attack surface for potential security incidents.
  • Simplified compliance: A smaller CDE makes it easier to meet PCI DSS requirements and maintain ongoing compliance.
  • Less operational complexity: Systems that don’t handle cardholder data face fewer restrictions and can operate with more flexibility.

 

How to Reduce Your Scope

It sounds simple, but reducing your PCI DSS compliance scope can be complicated and take strategic decision making and take time to complete. The more you reduce the scope of compliance the more you reduce the burden of PCI DSS compliance on your organization.

When it comes to reducing the scope of PCI DSS compliance, organizations have several options that should be considered. These options are not mutually exclusive and can be combined to address PCI DSS compliance obligations and/or reduce the environment that the PCI DSS requirements apply to. Don’t forget, all credit card acceptance channels need to be considered when reducing scope. Currently, organizations that have PCI DSS compliance obligations can reduce scope in the following ways:

  • Network segmentation, or isolating, the cardholder data environment from the remainder of an entity’s corporate network is not a PCI DSS requirement, however, it is strongly recommended as a method that may reduce:
    • The risk of an organization (reduced by consolidating cardholder data into fewer, more controlled locations)
    • The cost and difficulty of implementing and maintaining PCI DSS controls
    • The scope of the PCI DSS assessment
    • The cost of the PCI DSS assessment
  • Eliminate or change business processes to no longer store/process or transmit cardholder data (not always possible depending on business needs). If you don’t need it, don’t store it – eliminate the storage of cardholder data from systems if there is no business need to retain it
  • Outsource cardholder data functions to PCI DSS compliant third-party service providers (TPSPs) to shift much of the compliance burden away from your organization (full or shared outsourcing will affect which PCI DSS requirements the organization will have responsibility for). Don’t forget, you are still responsible for ensuring that all your third-party service providers are PCI DSS compliant
  • Use a PCI SSC listed Point-to-Point Encryption (P2PE) solution to ensure that your system and networks never see unencrypted data
  • Use imprint machines or standalone dial-out terminals with no electronic storage of cardholder data (yes older technology in this case is more secure as it is not on a network that can be hacked)
  • Using standalone, PCI PTS-approved payment terminals with an IP connection to the payment processor and no electronic storage of CHD
  • Entering a single transaction at a time into an Internet-based virtual payment terminal that is provided and hosted by a PCI DSS validated third-party service provider

 

Another option is to replace credit card numbers with tokens that cannot be reversed without a secure tokenization system. Tokenization is a process where primary account numbers (PANs or the credit card number itself) are replaced with a non-sensitive equivalent token that has no exploitable value if breached. When this tokenization process is managed by a compliant third party service provider it can greatly reduce the risk to an organization that use to store cardholder data. In this case, a tokenization integration replaces PANs with tokens before storing or sharing that information with other systems. Systems that store only tokens, and have no access to the original cardholder data AND don’t have the ability to reverse the token are then no longer in scope for PCI DSS.

If you are unfamiliar with tokenization or any of the technologies, practices, or policies that can help your organization to reduce its PCI DSS scope, then contact HALOCK Security Labs. Our PCI DSS compliance experts and QSAs can guide you through identifying your existing scope, risk factors and options for scope reductions in ways that make sense for your business needs.

 

Validate Your PCI Compliance

 

READ MORE PCI DSS References and Articles