Almost all organisations that implement the Payment Card Industry Data Security
Standard (PCI DSS) struggle with the scope of the applicability of the Standard.
Even veterans of PCI DSS compliance can struggle with scope creep over time as an organisation’s networks evolve.
So, it should be no surprise that scope reduction is one of the most effective and practical
ways of ensuring you continue to comply with the PCI DSS. The focus of this blog is to
look at a number of the most common scope reduction techniques which can help you to reduce the time, money, and resource burden of meeting PCI DSS requirements.
This first technique is the obvious first step for organisations looking to reduce scope. Whilst it is not a requirement of the PCI DSS, network segmentation is highly recommended by the PCI Security Standards Council (SSC) and virtually every PCI QSA!
The key with network segmentation is to either have separate physical networks to prevent any possibility of segmented systems coming into scope or if you are using logical segmentation (such as VLANs) to ensure a correct configuration that prevents out-of-scope systems from connecting to in-scope ones.
This is also a very common technique, especially with e-commerce platforms. This could be considered a form of physical segmentation as you simply outsource part or all the payment channel to a third party.
The important thing to remember with outsourcing is that you cannot outsource responsibility for compliance. As a merchant, you are ultimately responsible for protecting the cardholder data and must ensure that any third parties involved are fully compliant with any relevant requirements.
Encryption may not appear to be a scope reduction technique at first glance, as it is usually seen as a security control; however, in the opinion of the PCI SSC and many PCI QSAs, it is one of the best methods for reducing scope.
In simple terms, if you encrypt the cardholder data everywhere within your systems, whether it is at rest (stored) or in transit (being transmitted) then any system or device that cannot decrypt the data can ‘most likely’ be considered out of scope. You do need to be careful, however, that any system or device deemed to be out of scope is not providing security services to another in-scope system or device.
4: Data removal
It may be stating the obvious, but if you remove any stored cardholder data, you will reduce your PCI DSS scope. Many organisations, however, do overlook this potential solution. The advice from the PCI SSC is very straight forward – If you don’t need it, don’t store it.
The difficult part in removing cardholder data is ensuring you have located all of it! In older environments, cardholder data has a way of finding itself in all sorts of unexpected places such as text files, log files, memory dumps, application logs, legacy databases, backups etc etc.
5: Enlist qualified support
There is a host of more subtle techniques for reducing scope, but a lot of these will vary according to your specific payment channel and network infrastructure, e.g. whether network jump-boxes are used to control access or whether payment channels are consolidated onto a single platform.
The tricky bit is determining whether the different techniques will reduce scope significantly enough to be worthwhile. That’s where consultants and PCI QSAs can add value by analysing your specific situation (e.g. infrastructure and business objectives) and identifying the most appropriate techniques for reducing your scope and ensuring you remain compliant!