Scope and Applicability Definition
The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.” It is essential that your organisation is able to conduct this process as accurately as possible and an incorrect assessment can lead to security controls being applied above and beyond what is necessary or security controls not being applied systems that should be in scope of the standard. URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.
In order to assist merchants and service providers validate compliance with the PCI DSS, the PCI SSC has developed and made available a number of self-assessment questionnaires (SAQs), each of which are applicable to a specific payment scenario. The 8 SAQs are aimed at those qualifying merchants and service providers that are not required to undergo an on-site data security assessment nor submit a report on compliance (ROC).
Choosing the right SAQ is critical, as incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches. The time and effort involved in completing the different SAQs can also vary considerably. URM’s consultants can assist in advising which SAQ is most applicable to your organisation. They can also provide invaluable assistance in assessing whether there may be opportunity to reduce the scope of your cardholder data environment, resulting in you having to complete a less onerous SAQ.
The best and most cost-effective approach to achieving compliance with the PCI DSS is to reduce the scope of your cardholder data environment. By limiting where card information is held and processed within your organisation, it is possible to both reduce the likelihood of a payment card breach occurring, and also to significantly reduce the costs and efforts of maintaining and validating your compliance programme. URM’s consultants can advise you on how your PCI DSS scope can be reduced using a variety of techniques and will explain the benefits and drawbacks of the different options available to your unique environment and situation. All of URM’s proposed scope reductions are totally vendor agnostic and do not involve any specific vendor solutions or technologies. For organisations that require additional guidance, URM can provide unbiased remediation and solutions advice that leverage existing technology investments.