The journey towards PCI compliance is not always straightforward. The PCI compliance process is oftentimes very costly and requires a lot of resources. A lot of organizations also struggle to understand what systems need to be protected and have to fulfill the requirements in PCI DSS. Defining scope is a critical process in PCI DSS. So how do you define PCI scope? And are there ways to reduce it?
PCI DSS compliance process
The security standard PCI DSS applies to all entities that store, process, and/or transmit cardholder data. The PCI SSC (Payment Card Industry Security Standards Council) lists the following steps in the compliance process.
The first step in the PCI DSS process is to determine which components and networks are in scope for PCI DSS. The PCI scoping exercise should be done annually and prior to any PCI DSS assessment.
What is PCI scope?
PCI scope is how the PCI Council defines what parts of your environment have to meet the requirements of PCI DSS. What is defined as being in scope for PCI DSS are: all the system components that are connected to or located within the cardholder data environment (CDE).
According to PCI DSS, the cardholder data environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data. What does handle mean in this case? In the PCI DSS world, handle means to Store, Process and/or Transmit cardholder data. What this means is that if your company has assets that store, process or transmit payment card data – they are in scope. The first step towards PCI compliance is about accurately identifying system components that store, process or transmit payment card data.
How do you determine what is in scope for PCI DSS?
Best practice when it comes to determining what is in scope is to assume that everything is in scope until it is confirmed as otherwise. Start by identifying flows of cardholder data, as well as locations of cardholder data. You should also identify all system components that are connected to the cardholder data environment. System components could be things like servers and applications, as well as virtualized components such as virtual machines, routers and virtual applications.
- Systems located within the Cardholder Data Environment (CDE) are in scope, regardless of their functionality or reason why they are in the CDE.
- Systems that connect to a system in the Cardholder Data Environment are in scope, regardless of their functionality or reason why they have connectivity to the CDE.
- In a flat network, all systems are in scope if any single system stores, processes, and/or transmits account data.
A common mistake a lot of companies make is to believe that everything that is not cardholder data environment is out of scope. This is not always the case. A component might not be connected to the cardholder data environment and still be in scope. The golden rule here is if an excluded component, if compromised, could still impact the security of the CDE – they must be included in the scope.
For a more step-by-step guide to scoping, we recommend following the scoping exercise as outlined below by the PCI council.
When is a system out of scope?
A system is out of scope when it is fully isolated from the Cardholder Data Environment, to the extent that even if that particular system component were compromised, it would not impact the security of the CDE.
How do you reduce PCI DSS scope?
The more processes, systems and the more complex your IT-environment is, the more costly and difficult it becomes to reach and maintain PCI compliance. For this reason, once you have identified what systems are in scope, you should try to reduce your scope.
Reducing PCI DSS scope should be a priority for your company as it can reduce compliance and operational costs, as well as reduce the risk of breaches.
There does not exist a technology that can completely eliminate all PCI DSS requirements, but there are methods that can considerably simplify PCI scope.
Network segmentation means isolating the cardholder data environment from the rest of the company’s network. The purpose of network segmentation is to prevent systems that are out-of-scope from communicating with, or impact the security of systems in the cardholder data environment.
Tokenization is the process of converting sensitive data into non-sensitive data. This method can significantly reduce your PCI scope because tokenized data is not considered as being cardholder data. Tokenization replaces cardholder data with an “alias” aka a separate random-generated value called a token. The token is indecipherable, which means it has no value to criminals in the event of a hacker attack. By having tokenized data flow through your systems, you avoid bringing them in scope. No card data resides in the cardholder data environment.
Point-to-Point Encryption (P2PE)
P2PE is a method that protects payment data against theft, and is a recommended data protection method for any merchant. P2PE solutions encrypt payment card data at point of interaction (for example swipe of a payment card) until the point that it reaches the solution provider’s decryption environment. The data is indecipherable during the transaction process, which protects transactions and prevents hacking, theft and fraud. Merchants who use P2PE solutions are subject to fewer PCI requirements. You can find a list of P2PE solutions and service providers here.
Using a PCI compliant vendor will also reduce your PCI scope. By choosing a solution that is PCI certified, or even moving your IT-environment to a PCI DSS compliant cloud-hosting platform, you will automatically meet some of the requirements in the regulation. In some cases even to the extent where you might only have to fill out a SAQ (Self Assessment Questionnaire) or a short Report on Compliance and provide the third party vendor’s ROC. This can reduce costs related to compliance, and also minimize effort and resources required to meet the requirements in PCI DSS.
When considering outsourcing the hosting of your application, it’s important to evaluate cost and security. How much will you save on outsourcing? Also, you have to ensure that the security level of the vendor is equally stringent or more stringent than the security level of your organization.
PCI DSS isn’t easy
The security requirements in PCI DSS are not always completely straightforward, and to understand which system components are in scope and which are not, is an ongoing task. PCI DSS is not easy, but thankfully there are solutions that can make your journey towards a PCI DSS certification a lot easier.