5 Ways to Reduce Your PCI DSS Scope

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
9 Aug
2022

Table of Contents

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability of the Standard. Even veterans of PCI DSS compliance can struggle with scope creep over time as an organisation’s networks evolve.

So, it should be no surprise that scope reduction is one of the most effective and practical ways of ensuring you continue to comply with the PCI DSS.  The focus of this blog is to look at a number of the most common scope reduction techniques which can help you to reduce the time, money, and resource burden of meeting PCI DSS requirements.

1: Segmentation

This first technique is the obvious first step for organisations looking to reduce scope.  Whilst it is not a requirement of the PCI DSS, network segmentation is highly recommended by the PCI Security Standards Council (SSC) and virtually every PCI QSA!  The key with network segmentation is to either have separate physical networks to prevent any possibility of segmented systems coming into scope or if you are using logical segmentation (such as VLANs) to ensure a correct configuration that prevents out-of-scope systems from connecting to in-scope ones.

2: Outsourcing

This is also a very common technique, especially with e-commerce platforms.  This could be considered a form of physical segmentation as you simply outsource part or all the payment channel to a third party. The important thing to remember with outsourcing is that you cannot outsource responsibility for compliance.  As a merchant, you are ultimately responsible for protecting the cardholder data and must ensure that any third parties involved are fully compliant with any relevant requirements.

3: Encryption

Encryption may not appear to be a scope reduction technique at first glance, as it is usually seen as a security control; however, in the opinion of the PCI SSC and many PCI QSAs, it is one of the best methods for reducing scope. In simple terms, if you encrypt the cardholder data everywhere within your systems, whether it is at rest (stored) or in transit (being transmitted) then any system or device that cannot decrypt the data can ‘most likely’ be considered out of scope. You do need to be careful, however, that any system or device deemed to be out of scope is not providing security services to another in-scope system or device.

4: Data removal

It may be stating the obvious, but if you remove any stored cardholder data, you will reduce your PCI DSS scope.  Many organisations, however, do overlook this potential solution.  The advice from the PCI SSC is very straight forward – If you don’t need it, don’t store it. The difficult part in removing cardholder data is ensuring you have located all of it!  In older environments, cardholder data has a way of finding itself in all sorts of unexpected places such as text files, log files, memory dumps, application logs, legacy databases, backups etc etc.

5: Enlist qualified support

There is a host of more subtle techniques for reducing scope, but a lot of these will vary according to your specific payment channel and network infrastructure, e.g. whether network jump-boxes are used to control access or whether payment channels are consolidated onto a single platform. The tricky bit is determining whether the different techniques will reduce scope significantly enough to be worthwhile. That’s where consultants and PCI QSAs can add value by analysing your specific situation (e.g. infrastructure and business objectives) and identifying the most appropriate techniques for reducing your scope and ensuring you remain compliant!

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Rapid Penetration Test Quote

Do you need support in meeting your annual PCI DSS penetration testing requirements? CREST-accredited URM can complete internal and external penetration tests for your organisation.
Thumbnail of the Blog Illustration
Information Security
Published on
14/3/2023
Preparing For a PCI DSS v4.0 Assessment

URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
Benefits of PCI DSS Compliance

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability....

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.